AI Engine 2.8.4 – Insecure OAuth Implementation | CVE 2025-6238 | Plugin Vulnerabilities

Description

The plugin is vulnerable to open redirect due to an insecure OAuth implementation, as the 'redirect_uri' parameter is missing validation during the authorization flow. This makes it possible for unauthenticated attackers to intercept the authorization code and obtain an access token by redirecting the user to an attacker-controlled URI. Note: OAuth is disabled, the 'Meow_MWAI_Labs_OAuth' class is not loaded in the plugin in the patched version 2.8.5.

Affects Plugins

Fixed in 2.8.5

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/1edc84fd-8cb5-4899-9444-1b6ae3144917

Classification

Type

REDIRECT

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

István Márton

Verified

No

WPVDB ID

b9beb423-48a3-47b3-9352-7b74b8f937a1

Timeline

Publicly Published

2025-07-03 (about 10 months ago)

Added

2025-07-03 (about 10 months ago)

Last Updated

2025-07-03 (about 10 months ago)

Other

Published

Title

Published

2024-05-29

Title

WP Content Copy Protection & No Right Click (premium) < 15.3 - Open Redirect

Published

2014-08-01

Title

WPtouch 1.9.27 - 'wptouch_redirect' Parameter URI Redirection

Published

2026-01-30

Title

Update URLs – Quick and Easy way to search old links and replace them with new links in WordPress <= 1.4.1 - Unauthenticated Open Redirect

Published

2014-08-01

Title

Age Verification <= 0.4 - Open Redirect

Published

2024-04-05

Title

OAuth Server < 4.4.0 - Open Redirect