Lucene search
K

WordPress AI Engine Plugin - Token Exposure

🗓️ 07 Jul 2026 16:50:48Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 24 Views

Unauthenticated exposure of bearer tokens in WordPress AI Engine plugin up to version 3.1.3 via REST API when No-Auth URL is enabled.

Related
Refs
Code
id: CVE-2025-11749

info:
  name: WordPress AI Engine Plugin - Token Exposure
  author: 4m3rr0r
  severity: critical
  description: |
    Unauthenticated sensitive information exposure in AI Engine WordPress plugin <= 3.1.3 exposes bearer tokens via REST API endpoints when No-Auth URL is enabled.
  impact: |
    Unauthenticated attackers can retrieve sensitive bearer tokens from AI Engine WordPress plugin through exposed REST API endpoints, potentially allowing privilege escalation and unauthorized access to AI service credentials.
  remediation: |
    Upgrade to AI Engine version 3.1.4 or later that properly secures REST API endpoints and token handling.
  reference:
    - https://www.wordfence.com/blog/2025/11/100000-wordpress-sites-affected-by-privilege-escalation-vulnerability-in-ai-engine-wordpress-plugin/
    - https://cve.mitre.org/cgi-bin/cvename/cgi?name=CVE-2025-11749
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2025-11749
    epss-score: 0.75063
    epss-percentile: 0.99448
  metadata:
    max-request: 1
    verified: true
    vendor: wordpress
    product: ai-engine
    shodan-query: 'http.html:"/wp-content/plugins/ai-engine/"'
    zoomeye-query: 'app:"WordPress" +web.body:"/wp-content/plugins/ai-engine/"'
  tags: cve,cve2025,wordpress,wp-plugin,ai-engine,exposure,token,vkev,ai

http:
  - method: GET
    path:
      - "{{BaseURL}}/wp-json/mcp/v1"

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(header, "application/json")'
        condition: and

      - type: regex
        part: body
        regex:
          - '\"\\/mcp\\/v1\\/([^\\/"]+)\\/messages\":{'
          - '\"\\/mcp\\/v1\\/([^\\/"]+)\\/sse\":{'
        condition: and
# digest: 4a0a0047304502210086ba34fc41357dd13775e9812088bb067116692513e81dc2366c47b59633fbfd022018cb05f0eac7dbbf1939462df83ff60392c9f78455cf4e65289aba3b9ba90035:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.2High risk
Vulners AI Score7.2
CVSS 3.19.8
EPSS0.75063
SSVC
24