CVE-2026-8719 Overview
CVE-2026-8719 is a privilege escalation vulnerability in the AI Engine WordPress plugin, which provides chatbot, AI framework, and Model Context Protocol (MCP) functionality. The flaw affects version 3.4.9 and stems from missing WordPress capability enforcement in the MCP OAuth bearer-token authorization path. Any valid OAuth token grants MCP access without verifying administrator privileges. Authenticated users with Subscriber-level access or higher can invoke admin-level MCP tools and escalate to Administrator. The issue is tracked under [CWE-269: Improper Privilege Management].
Critical Impact
Subscriber-level authenticated attackers can escalate to full WordPress Administrator privileges by invoking admin-only MCP tools through the OAuth authorization path.
Affected Products
- AI Engine – The Chatbot, AI Framework & MCP for WordPress plugin
- Version 3.4.9
- WordPress installations with MCP OAuth functionality enabled
Discovery Timeline
- 2026-05-17 - CVE-2026-8719 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2026-8719
Vulnerability Analysis
The AI Engine plugin exposes Model Context Protocol (MCP) tools that allow programmatic interaction with WordPress functionality. Access to these tools is gated by an OAuth bearer-token authorization path. In version 3.4.9, the authorization handler validates token authenticity but does not check whether the associated user holds the required WordPress capability, such as manage_options.
Because the capability check is absent, the authorization decision collapses into a binary token-validity test. Any authenticated user able to obtain a valid OAuth token receives access to the full MCP tool surface, including administrative tools. The attacker can then call MCP functions that modify user roles, install plugins, or change site options.
Exploitation requires only Subscriber-level access, the lowest authenticated WordPress role. Open registration sites are therefore exposed to anonymous attackers who can self-provision an account.
Root Cause
The root cause is missing capability enforcement in the MCP OAuth bearer-token authorization path. The code authenticates the bearer token but omits a corresponding current_user_can() check against an administrator-level capability before granting MCP access.
Attack Vector
The vulnerability is exploitable over the network. The attacker authenticates as a Subscriber, obtains an OAuth bearer token through the plugin's standard flow, and sends MCP tool invocations to the WordPress endpoint. Admin-only MCP tools execute under the attacker's token without rejecting the request based on role. The attacker uses these tools to grant themselves the administrator role or otherwise pivot to full site control.
For technical details, see the WordPress Plugin Changeset and the Wordfence Vulnerability Analysis.
Detection Methods for CVE-2026-8719
Indicators of Compromise
- Unexpected role changes for previously low-privilege users, particularly Subscriber accounts promoted to Administrator.
- MCP tool invocations in plugin or web server logs originating from non-administrator user tokens.
- New administrator accounts, plugin installations, or theme changes that do not correspond to legitimate admin activity.
- OAuth token issuance to Subscriber-level accounts followed by access to admin-scoped MCP endpoints.
Detection Strategies
- Audit wp_users and wp_usermeta for role changes that lack a corresponding administrative session.
- Monitor HTTP requests to MCP endpoints under the ai-engine plugin route and correlate the calling user's WordPress role with the tool invoked.
- Alert on bearer-token-authenticated MCP calls where the associated user lacks the manage_options capability.
Monitoring Recommendations
- Forward WordPress audit logs to a centralized SIEM and create rules for role escalations and plugin installations.
- Enable verbose logging on the AI Engine plugin and retain access logs for the WordPress REST API namespace used by MCP.
- Track creation of new admin users and outbound calls initiated by the AI Engine plugin for signs of post-exploitation activity.
How to Mitigate CVE-2026-8719
Immediate Actions Required
- Update the AI Engine plugin to a version newer than 3.4.9 that includes the fix referenced in the plugin changeset 3533527.
- Disable the MCP feature in the AI Engine plugin settings until the patched version is deployed.
- Review all WordPress user accounts and revoke unexpected administrator privileges.
- Rotate OAuth client secrets and revoke existing bearer tokens issued by the plugin.
Patch Information
The fix is published in the WordPress plugin repository as changeset 3533527 for ai-engine. The patch adds the missing WordPress capability check to the MCP OAuth bearer-token authorization path so that administrator-level MCP tools are only accessible to users with the appropriate capability. Site operators should upgrade through the WordPress plugin updater or via WP-CLI.
Workarounds
- Disable open user registration to prevent anonymous attackers from obtaining Subscriber accounts.
- Restrict access to the AI Engine MCP endpoints at the web server or WAF layer to known administrator IP addresses.
- Temporarily deactivate the AI Engine plugin if MCP functionality is not required.
# Update the AI Engine plugin via WP-CLI
wp plugin update ai-engine
# Verify the installed version is greater than 3.4.9
wp plugin get ai-engine --field=version
# If a patched version is not yet available, deactivate the plugin
wp plugin deactivate ai-engine
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
