CVE-2025-11749
📋 TL;DR
The AI Engine WordPress plugin exposes bearer tokens through an unauthenticated REST API endpoint when 'No-Auth URL' is enabled. This allows attackers to steal authentication tokens and create administrator accounts, leading to complete site compromise. All WordPress sites using AI Engine version 3.1.3 or earlier are affected.
💻 Affected Systems
- AI Engine WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete site takeover where attackers create administrator accounts, install backdoors, deface websites, steal sensitive data, and use the compromised server for further attacks.
Likely Case
Attackers gain administrative access to WordPress, modify content, install malicious plugins/themes, and potentially access sensitive user data.
If Mitigated
Limited impact if proper network segmentation, monitoring, and access controls prevent lateral movement from the compromised WordPress instance.
🎯 Exploit Status
Simple HTTP GET request to /wp-json/mcp/v1/ endpoint when No-Auth URL is enabled
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.1.4
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3380753/ai-engine#file10
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find AI Engine plugin. 4. Click 'Update Now' if update available. 5. If no update appears, manually download version 3.1.4+ from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Disable No-Auth URL Feature
allDisable the vulnerable 'No-Auth URL' setting in AI Engine plugin configuration
Block REST API Endpoint
linuxAdd .htaccess rule to block access to the vulnerable endpoint
RewriteEngine On
RewriteRule ^wp-json/mcp/v1/ - [F,L]
🧯 If You Can't Patch
- Disable AI Engine plugin completely until patched
- Implement WAF rules to block requests to /wp-json/mcp/v1/ endpoint
🔍 How to Verify
Check if Vulnerable:
Check if AI Engine plugin is installed and version is 3.1.3 or earlier, then verify if No-Auth URL is enabled in plugin settingsCheck Version:
wp plugin list --name=ai-engine --field=versionVerify Fix Applied:
Confirm plugin version is 3.1.4 or higher in WordPress admin → Plugins → AI Engine📡 Detection & Monitoring
Log Indicators:
- HTTP GET requests to /wp-json/mcp/v1/ endpoint
- Multiple failed authentication attempts followed by successful admin account creation
Network Indicators:
- Unusual traffic to WordPress REST API endpoints from unknown IPs
- Requests containing 'Bearer' token patterns in URL parameters
SIEM Query:
source="wordpress" AND (uri_path="/wp-json/mcp/v1/" OR (event="user_created" AND user_role="administrator"))