EUVD-2025-28374CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Description
The AI Engine plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'Meow_MWAI_Labs_MCP::can_access_mcp' function in versions 2.8.0 to 2.8.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to have full access to the MCP and run various commands like 'wp_create_user', 'wp_update_user' and 'wp_update_option', which can be used for privilege escalation, and 'wp_update_post', 'wp_delete_post', 'wp_update_comment' and 'wp_delete_comment', which can be used to edit and delete posts and comments.
Analysis
The AI Engine WordPress plugin (versions 2.8.0-2.8.3) contains a missing capability check in the 'Meow_MWAI_Labs_MCP::can_access_mcp' function, allowing authenticated subscribers and above to access the Model Context Protocol (MCP) interface and execute arbitrary WordPress administrative commands. This enables privilege escalation, unauthorized user creation/modification, and data destruction through post and comment manipulation. The vulnerability has a CVSS score of 8.8 (High) and poses immediate risk to any WordPress installation running affected versions with user registration enabled.
Technical Context
The vulnerability exists in the AI Engine plugin's MCP (Model Context Protocol) implementation, specifically in the capability verification layer. The 'can_access_mcp' function fails to enforce WordPress capability checks before allowing access to sensitive MCP commands. CWE-863 (Incorrect Authorization) indicates the root cause is improper validation of user permissions against the WordPress role-based access control (RBAC) system. The affected plugin integrates AI capabilities via MCP, which provides a command execution interface. Authenticated users at subscriber level and above can bypass authorization controls and invoke functions like 'wp_create_user', 'wp_update_user', 'wp_update_option', 'wp_update_post', 'wp_delete_post', 'wp_update_comment', and 'wp_delete_comment'—all of which normally require administrator privileges. The missing check violates the principle of least privilege and breaks WordPress's capability delegation model.
Affected Products
AI Engine WordPress plugin, versions 2.8.0, 2.8.1, 2.8.2, and 2.8.3. The vulnerability affects all installations of these versions regardless of configuration, though risk is highest on sites with user registration enabled. Unaffected versions: 2.7.9 and earlier (pre-vulnerability introduction), and 2.8.4 and later (patched). CPE data would be 'cpe:2.3:a:meow_apps:ai_engine:2.8.0:*:*:*:*:wordpress:*:*' through '2.8.3'. Vendor: Meow Apps (developer of the AI Engine plugin).
Remediation
Immediate actions: (1) Update AI Engine plugin to version 2.8.4 or later immediately—this patch version includes the missing capability check in 'Meow_MWAI_Labs_MCP::can_access_mcp'. (2) If immediate patching is not possible, disable the AI Engine plugin entirely until a patch is applied. (3) For sites that cannot update quickly, restrict user registration to trusted accounts only and audit user roles to remove unnecessary subscriber-level accounts. (4) Monitor WordPress audit logs and MCP function execution logs for suspicious 'wp_create_user', 'wp_update_user', 'wp_update_option', 'wp_delete_post', and 'wp_delete_comment' calls from low-privilege users. (5) Implement Web Application Firewall (WAF) rules to block MCP requests from non-administrator sources. (6) Review and revoke any suspicious administrator accounts created after plugin installation. Vendor patch location: Consult the official Meow Apps plugin repository on WordPress.org; patch released in version 2.8.4.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today