Ai Engine
Monthly
The AI Engine plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the mwai_chatbot shortcode 'id' parameter in all versions up to, and including, 2.8.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The AI Engine plugin for WordPress is vulnerable to open redirect in version 2.8.4. This is due to an insecure OAuth implementation, as the 'redirect_uri' parameter is missing validation during the authorization flow. This makes it possible for unauthenticated attackers to intercept the authorization code and obtain an access token by redirecting the user to an attacker-controlled URI. Note: OAuth is disabled, the 'Meow_MWAI_Labs_OAuth' class is not loaded in the plugin in the patched version 2.8.5.
The AI Engine WordPress plugin (versions 2.8.0-2.8.3) contains a missing capability check in the 'Meow_MWAI_Labs_MCP::can_access_mcp' function, allowing authenticated subscribers and above to access the Model Context Protocol (MCP) interface and execute arbitrary WordPress administrative commands. This enables privilege escalation, unauthorized user creation/modification, and data destruction through post and comment manipulation. The vulnerability has a CVSS score of 8.8 (High) and poses immediate risk to any WordPress installation running affected versions with user registration enabled.
The AI Engine plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the mwai_chatbot shortcode 'id' parameter in all versions up to, and including, 2.8.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The AI Engine plugin for WordPress is vulnerable to open redirect in version 2.8.4. This is due to an insecure OAuth implementation, as the 'redirect_uri' parameter is missing validation during the authorization flow. This makes it possible for unauthenticated attackers to intercept the authorization code and obtain an access token by redirecting the user to an attacker-controlled URI. Note: OAuth is disabled, the 'Meow_MWAI_Labs_OAuth' class is not loaded in the plugin in the patched version 2.8.5.
The AI Engine WordPress plugin (versions 2.8.0-2.8.3) contains a missing capability check in the 'Meow_MWAI_Labs_MCP::can_access_mcp' function, allowing authenticated subscribers and above to access the Model Context Protocol (MCP) interface and execute arbitrary WordPress administrative commands. This enables privilege escalation, unauthorized user creation/modification, and data destruction through post and comment manipulation. The vulnerability has a CVSS score of 8.8 (High) and poses immediate risk to any WordPress installation running affected versions with user registration enabled.