WordPress Plugin Vulnerabilities

AI Engine 2.8.0 - 2.8.3 - Subscriber+ Privilege Escalation via MCP

Description

The plugin is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'Meow_MWAI_Labs_MCP::can_access_mcp' function This makes it possible for authenticated attackers, with subscriber-level access and above, to have full access to the MCP and run various commands like 'wp_create_user', 'wp_update_user' and 'wp_update_option', which can be used for privilege escalation, and 'wp_update_post', 'wp_delete_post', 'wp_update_comment' and 'wp_delete_comment', which can be used to edit and delete posts and comments.

Affects Plugins

Plugin icon
ai-engine
Fixed in 2.8.4

References

CVE
CVE-2025-5071
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/0e7654a1-0020-4bf1-86be-bdb238a9fe0d

Classification

Type
INCORRECT AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-863
CVSS
8.8 (high)

Miscellaneous

Original Researcher
István Márton
Verified
No
WPVDB ID
d15c9d6a-5a0e-4e71-899d-40b24e4ca6e0

Timeline

Publicly Published
2025-06-18 (about 10 months ago)
Added
2025-06-19 (about 10 months ago)
Last Updated
2025-06-19 (about 10 months ago)

Other

Published
Title
Published
2025-07-01
Title
Soumettre.fr <= 2.1.5 - Unauthenticated Soumettre Posts Creation/Modification/Deletion
Published
2025-10-31
Title
SiteSEO < 1.3.2 - Author+ Plugin Settings Update
Published
2025-08-15
Title
OceanWP < 4.1.2 - Subscriber+ Limited Option Update
Published
2024-04-05
Title
PostX – Gutenberg Blocks for Post Grid < 3.2.4 - Incorrect Authorization
Published
2024-06-10
Title
WPS Hide Login < 1.9.16 - Login Page Disclosure