WordPress AI Engine Plugin Sensitive Information Exposure Vulnerability Allowing Privilege Escalation

A vulnerability allowing sensitive information exposure has been identified in the AI Engine plugin for WordPress, affecting all versions through 3.1.3. The issue arises in the '/mcp/v1/' REST API endpoint, which inadvertently reveals the 'Bearer Token' value when the 'No-Auth URL' option is enabled. This exposure allows unauthenticated attackers to extract the bearer token, potentially leading to unauthorized access to a valid session. With this access, attackers could perform various actions, such as creating a new administrator account, thereby escalating privileges.

Impact

Exploitation of this vulnerability allows for unauthorized access to a valid session via the extracted bearer token. This access can be used to perform sensitive actions, including creating a new administrator account, which leads to privilege escalation.

Reproduction

To reproduce this vulnerability, enable the 'No-Auth URL' option in the AI Engine plugin settings. Then, send a request to the '/mcp/v1/' REST API endpoint. The response will include the 'Bearer Token' value, which can be used to access a valid session and escalate privileges by creating an administrator account.

Remediation

Users are advised to update the AI Engine plugin to version 3.1.4 or a newer patched version.