A serious security vulnerability has been identified in the AI Engine WordPress plugin, affecting over 100,000 installations. This flaw, designated as CVE-2025-11749 with a CVSS score of 9.8, enables unauthenticated attackers to extract bearer tokens from exposed REST API endpoints, allowing for privilege escalation. Discovered by Emiliano Versini and responsibly reported, the vulnerability is rooted in the No-Auth URL feature of the Model Context Protocol (MCP) settings.
When enabled, this feature creates publicly accessible endpoints that inadvertently display bearer tokens in the API index. Once attackers extract these tokens, they can authenticate themselves and execute commands to elevate their privileges to administrative levels. This access could lead to uploading malicious plugins, injecting spam content, and redirecting users to harmful websites. The plugin developer has since addressed the flaw in version 3.1.4, which prevents these endpoints from being indexed publicly, emphasizing the need for users to rotate their tokens immediately and update the plugin version.
👉 Pročitaj original: Cyber Security News
