A critical security vulnerability has emerged in the WordPress ecosystem, exposing over 100,000 websites to privilege escalation attacks through the AI Engine pluginβs Model Context Protocol (MCP) implementation.
The vulnerability, designated CVE-2025-5071 with a high CVSS rating of 8.8, affects AI Engine plugin versions 2.8.0 through 2.8.3, allowing authenticated attackers with minimal subscriber-level access to gain full administrative control over targeted WordPress sites.
The security flaw centers around an insufficient authorization mechanism within the pluginβs MCP functionality, which enables AI agents like Claude or ChatGPT to control and manage WordPress websites by executing various commands.
The vulnerability specifically targets the can_access_mcp() function in the Meow_MWAI_Labs_MCP class, where inadequate permission checks grant unauthorized access to powerful WordPress management capabilities.
Wordfence analysts identified this critical security gap on May 21, 2025, during routine threat intelligence operations, prompting immediate responsible disclosure procedures.
The vulnerabilityβs impact extends beyond simple unauthorized access, as successful exploitation enables attackers to execute commands such as wp_update_user, wp_create_user, and wp_update_option, effectively allowing complete site compromise through privilege escalation.
However, the vulnerability only critically affects users who have specifically enabled the Dev Tools and subsequently activated the MCP module in their plugin settings, which remains disabled by default.
The attack vector leverages the pluginβs authentication framework, where attackers can bypass security controls and gain administrative privileges, subsequently enabling them to upload malicious plugins, modify content, and establish persistent backdoors on compromised websites.
Following the discovery, Wordfence Premium, Care, and Response users received protective firewall rules on May 22, 2025, while free users received the same protection on June 21, 2025.
Technical Authentication Bypass MechanismThe vulnerabilityβs core lies in a flawed authentication implementation within the auth_via_bearer_token() function.
The original vulnerable code contains a critical oversight where the function fails to properly validate empty token values:-
public function auth_via_bearer_token( $allow, $request ) { if ( empty( $this->bearer_token ) ) { return false; } $hdr = $request->get_header( 'authorization' ); if ( $hdr && preg_match( '/Bearer\s+(.+)/i', $hdr, $m ) && hash_equals( $this->bearer_token, trim( $m[1] ) ) ) { return true; } return $allow; }
This implementation allows attackers to bypass authentication by simply omitting the Bearer token, causing the function to return the default $allow value, which defaults to true for logged-in users.
The patch addresses this by implementing strict administrator capability checks and comprehensive empty value validation.