Primary

Context

AI Engine Privilege Escalation Vulnerability in WordPress Plugin

Vulnerability

Patched

A privilege escalation vulnerability has been identified in the AI Engine – The Chatbot, AI Framework & MCP for WordPress plugin, specifically in version 3.4.9. The issue arises from inadequate enforcement of WordPress capabilities in the MCP OAuth bearer-token authorization process. This flaw allows any valid OAuth token to grant MCP access without verifying whether the user has administrator privileges. As a result, authenticated users with Subscriber or higher roles can access admin-level MCP tools and elevate their privileges to Administrator.

Impact

Exploitation of this vulnerability allows authenticated users (Subscribers and above) to escalate their privileges to Administrator, gaining access to all administrative tools and capabilities within WordPress.

Remediation

Users can update to version 3.5.0 or a newer patched version to address this vulnerability.

Added: May 17, 2026, 4:18 AM

Updated: May 17, 2026, 4:18 AM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

5.0

exploitability

6.1

remediation

7.7

relevance

8.6

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

5.0

exploitability

6.1

remediation

7.7

relevance

8.6

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

AI Engine Privilege Escalation Vulnerability in WordPress Plugin

Vulnerability

Impact

Remediation

Affected Products

AI Engine

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating