CVE-2025-11749: AI Engine WordPress Information Disclosure

CVE-2025-11749 Overview

CVE-2025-11749 is a sensitive information disclosure vulnerability in the AI Engine plugin for WordPress, affecting all versions up to and including 3.1.3. The flaw resides in the /mcp/v1/ REST API endpoint, which exposes the configured Bearer Token when the No-Auth URL option is enabled. Unauthenticated attackers can retrieve the token over the network and use it to authenticate as a privileged user. With a valid bearer token, an attacker can invoke administrative actions, including creating new administrator accounts. The vulnerability maps to CWE-200: Exposure of Sensitive Information to an Unauthorized Actor.

Critical Impact

Unauthenticated attackers can extract a valid Bearer Token and gain full administrative control of affected WordPress sites, resulting in complete site takeover.

Affected Products

• AI Engine plugin for WordPress, versions through 3.1.3
• WordPress sites with the AI Engine MCP module enabled
• WordPress sites with the No-Auth URL feature enabled in AI Engine

Discovery Timeline

• 2025-11-05 - CVE-2025-11749 published to NVD
• 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-11749

Vulnerability Analysis

The AI Engine plugin implements a Model Context Protocol (MCP) endpoint at /mcp/v1/ to allow external clients to interact with the plugin's AI features. When site administrators enable the No-Auth URL feature, the plugin generates a Bearer Token used by trusted clients to authenticate against the MCP endpoint. The vulnerability stems from the endpoint returning that Bearer Token in its response without requiring authentication. Any remote actor who can reach the WordPress site over HTTP can issue a request to the MCP endpoint and read the token value.

Once the attacker holds the token, they can authenticate to the MCP REST API and execute any operation the token authorizes. This includes invoking tools that create WordPress users, modify content, or change site configuration. Creating a new administrator account converts an information disclosure flaw into full site compromise. The vulnerability has a high EPSS exploitation probability, indicating elevated real-world risk.

Root Cause

The root cause is a missing authorization check on the response data path of the /mcp/v1/ endpoint. The plugin returns sensitive configuration data, including the Bearer Token, in the endpoint response when No-Auth URL mode is enabled. The relevant code can be reviewed in the AI Engine plugin source on plugins.trac.wordpress.org. The fix, available in the 3380753 changeset, removes the token from the unauthenticated response.

Attack Vector

The attack is network-based and requires no authentication, user interaction, or privileged position. An attacker enumerates WordPress sites running the AI Engine plugin, sends an unauthenticated HTTP request to the MCP REST endpoint, and parses the Bearer Token from the response. The attacker then replays the token in the Authorization: Bearer <token> header against the same endpoint to invoke MCP tools, including user creation functions that grant administrative privileges.

The vulnerability is described in prose because no verified public exploit code has been confirmed. See the Wordfence Vulnerability Report for additional technical context.

Detection Methods for CVE-2025-11749

Indicators of Compromise

• Unauthenticated HTTP GET or POST requests to /wp-json/mcp/v1/ from unfamiliar source IP addresses
• New WordPress administrator accounts created without a corresponding audit trail in wp_users and wp_usermeta
• Unexpected Authorization: Bearer headers in access logs targeting the AI Engine MCP endpoint
• Outbound connections from the WordPress host to attacker-controlled infrastructure following MCP requests

Detection Strategies

• Inspect web server access logs for requests to paths matching /mcp/v1/ originating from unauthenticated sessions
• Correlate MCP endpoint access with subsequent administrative actions such as user creation or plugin installation
• Compare the installed AI Engine plugin version against 3.1.4 or later to identify vulnerable hosts
• Alert on responses from /mcp/v1/ that contain token-shaped strings to detect exposure on legacy installations

Monitoring Recommendations

• Forward WordPress access and audit logs to a centralized SIEM and retain them for at least 90 days
• Monitor the wp_users table for unexpected role changes or new accounts with the administrator role
• Track REST API request volume per source IP and rate-limit anomalous spikes to the wp-json namespace
• Enable file integrity monitoring on wp-content/plugins/ai-engine/ to detect tampering

How to Mitigate CVE-2025-11749

Immediate Actions Required

• Update the AI Engine plugin to a version later than 3.1.3 immediately on all WordPress installations
• Disable the No-Auth URL feature in AI Engine settings until the plugin is patched
• Rotate the Bearer Token after patching to invalidate any token that may have been exposed
• Audit WordPress administrator accounts and remove any accounts that cannot be attributed to a known user

Patch Information

The maintainer released a fix in the changeset published at plugins.trac.wordpress.org changeset/3380753. The patch removes the Bearer Token from the unauthenticated /mcp/v1/ response. Site operators should upgrade to the latest released version of AI Engine through the WordPress plugin manager or via WP-CLI.

Workarounds

• Disable the AI Engine plugin entirely if patching cannot be performed in the short term
• Restrict access to /wp-json/mcp/v1/ at the web server or WAF layer to allow only trusted source IP addresses
• Block unauthenticated requests to the MCP endpoint using a web application firewall rule
• Rotate all WordPress secrets, including authentication keys in wp-config.php, after confirming no compromise occurred

# Configuration example: update AI Engine and disable the MCP endpoint via WP-CLI
wp plugin update ai-engine
wp option patch delete mwai_options mcp_no_auth_url
wp user list --role=administrator --fields=ID,user_login,user_email,user_registered