Has the AI Engine vulnerability been patched?

Yes, AI Engine version 3.1.4, released on October 19, 2025, patches this flaw by adding the show_in_index => false argument to all No-Auth URL endpoints. However, the patch alone is insufficient for sites that previously had the feature enabled, as any previously exposed bearer token remains compromised.

What is the No-Auth URL feature in AI Engine?

The No-Auth URL feature is a setting in the AI Engine plugin's MCP configuration that, when enabled, allows AI agents to access the WordPress site without traditional authentication. The vulnerability occurs because this feature improperly exposes bearer tokens in public REST API endpoints. This setting is disabled by default, so only sites that manually enabled it are affected.

What is a bearer token in the context of AI Engine?

A bearer token in AI Engine functions as a master password that authorizes AI agents to execute privileged commands on WordPress sites. When the No-Auth URL feature is enabled, this token is improperly embedded in REST API endpoint paths and exposed in the public API index, allowing unauthenticated attackers to steal it and gain administrator-level access.

Why is token rotation necessary after patching AI Engine?

Token rotation is necessary for sites that previously had the No-Auth URL feature enabled because any bearer token that was exposed before the patch remains compromised. Attackers may have already harvested these tokens from the public API index before the vulnerability was patched. Simply updating to version 3.1.4 doesn't invalidate previously exposed tokens, so administrators must manually rotate the bearer token in the AI Engine settings to ensure security.

Is my site vulnerable if I never enabled the No-Auth URL feature?

No, the vulnerability only affects sites where the No-Auth URL setting has been manually enabled in the MCP configuration. Since this setting is disabled by default, sites that never enabled it are not vulnerable to CVE-2025-11749.

What is the Model Context Protocol in AI Engine?

The Model Context Protocol (MCP) is a system integrated into the AI Engine plugin that enables artificial intelligence agents such as Claude and ChatGPT to perform complex WordPress management tasks. It provides a communication interface that allows AI systems to execute commands for user account modifications, media handling, content editing, and site administration through bearer token authentication.

How are the bearer tokens exposed in CVE-2025-11749?

The bearer tokens are exposed because the plugin registers REST API routes that embed the token directly in the endpoint path. Without the show_in_index => false parameter, WordPress automatically lists these sensitive URLs complete with the bearer token in the publicly accessible REST API index at /wp-json/. Any unauthenticated user can view this index and extract the token.

What commands can attackers execute through the AI Engine vulnerability?

Once attackers obtain the bearer token, they can execute administrator-level commands through the MCP interface. Security researchers demonstrated that attackers can use commands such as wp_update_user to modify user roles to administrator, enabling them to perform any WordPress management tasks including user account modifications, media handling, content editing, and complete site administration.

What is the CVSS score of CVE-2025-11749?

CVE-2025-11749 has a CVSS score of 9.8, which is classified as critical severity. This high rating reflects the ease of exploitation for unauthenticated attackers, the complete privilege escalation to administrator level, and the potential for total site compromise.

Where can attackers find the exposed bearer tokens?

Attackers can find the exposed bearer tokens in the publicly accessible REST API index at /wp-json/ on vulnerable WordPress sites. This index automatically lists all registered REST API routes, and when the No-Auth URL feature is enabled without proper configuration, it includes the MCP endpoints with bearer tokens embedded directly in the URL paths.

What was the cause of the AI Engine security flaw?

The security flaw was caused by improper REST API endpoint registration within the plugin's Meow_MWAI_Labs_MCP class. When the No-Auth URL feature is enabled, the developers failed to include the show_in_index => false parameter during REST route registration, causing WordPress to automatically list the sensitive URLs with embedded bearer tokens in the public API index.

How was CVE-2025-11749 fixed in AI Engine 3.1.4?

AI Engine version 3.1.4, released on October 19, 2025, fixes CVE-2025-11749 by adding the show_in_index => false argument to all No-Auth URL endpoints. This prevents WordPress from listing these sensitive endpoints in the public REST API index, keeping bearer tokens hidden from unauthenticated users.

What AI agents work with the AI Engine plugin?

The AI Engine plugin integrates with artificial intelligence agents such as Claude and ChatGPT through the Model Context Protocol. These AI systems can use the plugin to perform complex WordPress management tasks when authorized with the bearer token.

Advisory

Critical vulnerability reported in AI Engine WordPress plugin

Q: What is CVE-2025-11749?

CVE-2025-11749 is a critical security vulnerability with a CVSS score of 9.8 affecting the AI Engine WordPress plugin. It enables unauthenticated attackers to extract bearer tokens and escalate their privileges to administrator level, potentially leading to complete site compromise. The vulnerability is caused by improper REST API endpoint registration that exposes bearer tokens in publicly accessible API indexes.

Q: How does the AI Engine vulnerability work?

When administrators enable the No-Auth URL feature in the MCP settings, the plugin registers REST API routes that embed the bearer token directly in the endpoint path, such as /mcp/v1/[token]/sse and /mcp/v1/[token]/messages. Because the developers didn't include the show_in_index => false parameter during REST route registration, WordPress automatically lists these sensitive URLs, complete with the bearer token, in the publicly accessible REST API index at /wp-json/. Any unauthenticated attacker can access this public index, retrieve the exposed bearer token, and use it to authenticate to the MCP endpoint without any credentials.

Q: What should AI Engine administrators do about CVE-2025-11749?

Administrators must update to AI Engine version 3.1.4 or later. For sites that previously had the No-Auth URL feature enabled, administrators must both patch AND rotate the bearer token in the AI Engine settings page to invalidate any previously exposed credentials. The patch alone is insufficient because attackers may have already harvested exposed tokens from the public API index.

published: Nov. 5, 2025

Learn More

A critical security vulnerability is reported in the AI Engine WordPress plugin that enables unauthenticated attackers to extract bearer tokens and escalate their privileges to administrator level, potentially leading to complete site compromise.

The AI Engine plugin integrates the Model Context Protocol (MCP) with artificial intelligence agents such as Claude and ChatGPT, enabling these AI systems to perform complex WordPress management tasks including user account modifications, media handling, content editing, and site administration. The plugin uses a bearer token—essentially a master password—that authorizes AI agents to execute privileged commands on WordPress sites.

The flaw is tracked as CVE-2025-11749 (CVSS score 9.8) and is caused by improper REST API endpoint registration within the plugin's Meow_MWAI_Labs_MCP class when administrators enable the "No-Auth URL" feature in the MCP settings. When this feature is activated, the plugin registers REST API routes that embed the bearer token directly in the endpoint path, such as /mcp/v1/[token]/sse and /mcp/v1/[token]/messages. Because the developers didn't include the 'show_in_index => false' parameter during REST route registration, WordPress automatically listing these sensitive URLs, complete with the bearer token in the publicly accessible REST API index at /wp-json/. Any unauthenticated attacker could access this public index, retrieve the exposed bearer token, and use it to authenticate to the MCP endpoint without any credentials.

Once an attacker obtains the bearer token, they gain full access to execute administrator-level commands through the MCP interface. Security researchers demonstrated that attackers can use commands such as 'wp_update_user' to modify their own user role to administrator.

The vulnerability affects all versions of AI Engine up to and including 3.1.3 where the "No-Auth URL" setting has been manually enabled in the MCP configuration. That setting is disabled by default.

AI Engine version 3.1.4 on October 19, 2025 patches this flaw by adding the 'show_in_index => false' argument to all "No-Auth URL" endpoints.

The patch alone is insufficient for sites that previously had the "No-Auth URL" feature enabled. Any bearer token that was exposed before the patch remains compromised, as attackers may have already harvested these tokens from the public API index. For these affected sites administrators must patch AND rotate the bearer token in the AI Engine settings page to invalidate any previously exposed credentials.

Critical vulnerability reported in AI Engine WordPress plugin

Read More
Dokan Pro WordPress Plugin has maximum severity SQL …
Data breach claimed by hacker "Satanic" targeting WooCommerce …
Critical flaw in Service Finder WordPress Theme actively …
Joomla CMS releases patches for several XSS vulnerabilities
Critical flaw reported in WPLMS Learning Management System …