218 matches found
WordPress plugin AI Engine 跨站脚本漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site...
CVE-2025-6238
The AI Engine plugin for WordPress is vulnerable to open redirect in version 2.8.4. This is due to an insecure OAuth implementation, as the 'redirecturi' parameter is missing validation during the authorization flow. This makes it possible for unauthenticated attackers to intercept the...
CVE-2025-6238
The AI Engine plugin for WordPress is vulnerable to open redirect in version 2.8.4. This is due to an insecure OAuth implementation, as the 'redirecturi' parameter is missing validation during the authorization flow. This makes it possible for unauthenticated attackers to intercept the...
CVE-2025-6238 AI Engine 2.8.4 - Insecure OAuth Implementation
The AI Engine plugin for WordPress is vulnerable to open redirect in version 2.8.4. This is due to an insecure OAuth implementation, as the 'redirecturi' parameter is missing validation during the authorization flow. This makes it possible for unauthenticated attackers to intercept the...
WordPress plugin AI Engine 输入验证错误漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. An input validation...
PT-2025-27847 · WordPress · Ai Engine
Name of the Vulnerable Software and Affected Versions: AI Engine plugin for WordPress version 2.8.4 Description: The issue is due to an insecure OAuth implementation, specifically the lack of validation for the redirect uri parameter during the authorization flow. This allows unauthenticated...
WordPress AI Engine plugin <= 2.8.4 - Insecure OAuth Implementation vulnerability
Insecure OAuth Implementation vulnerability discovered by István Márton - Wordfence in WordPress Plugin AI Engine versions = 2.8.4...
WordPress AI Engine plugin has unspecified vulnerability
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress plugin is an application plugin. An unspecified vulnerability exists in WordPress AI Engine plugin that stems from a lack of capability checking, which can be exploited by attackers to cause unauthorized data...
CVE-2025-5071
The AI Engine plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'MeowMWAILabsMCP::canaccessmcp' function in versions 2.8.0 to 2.8.3. This makes it possible for authenticated attackers, with subscriber-level access and...
CVE-2025-5071
The AI Engine plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'MeowMWAILabsMCP::canaccessmcp' function in versions 2.8.0 to 2.8.3. This makes it possible for authenticated attackers, with subscriber-level access and...
CVE-2025-5071
The AI Engine plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'MeowMWAILabsMCP::canaccessmcp' function in versions 2.8.0 to 2.8.3. This makes it possible for authenticated attackers, with subscriber-level access and...
CVE-2025-5071 AI Engine 2.8.0 - 2.8.3 - Authenticated (Subscriber+) Insufficient Authorization to Privilege Escalation via MCP
The AI Engine plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'MeowMWAILabsMCP::canaccessmcp' function in versions 2.8.0 to 2.8.3. This makes it possible for authenticated attackers, with subscriber-level access and...
CVE-2025-5071
The CVE-2025-5071 entry concerns the WordPress AI Engine plugin (versions 2.8.0–2.8.3) with a missing capability check in Meow_MWAI_Labs_MCP::can_access_mcp. This allows authenticated users with subscriber-level access and above to gain full MCP control and execute commands (e.g., wp_create_user,...
CVE-2025-5071 AI Engine 2.8.0 - 2.8.3 - Authenticated (Subscriber+) Insufficient Authorization to Privilege Escalation via MCP
The AI Engine plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'MeowMWAILabsMCP::canaccessmcp' function in versions 2.8.0 to 2.8.3. This makes it possible for authenticated attackers, with subscriber-level access and...
100,000 WordPress Sites Affected by Privilege Escalation via MCP in AI Engine WordPress Plugin
🌞Spring Into Summer Challenge: Critical Threats = Critical Rewards. 🌞 🔥 Now through August 4, 2025, earn 2X bounty rewards for all in-scope submissions from our ‘High Threat’ list in software with fewer than 5 million active installs. Submit bold. Earn big! 🔥 On May 21st, 2025, our Wordfence Thre...
CVE-2024-6723
The AI Engine WordPress plugin before 2.4.8 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by admin users when viewing chatbot discussions...
CVE-2024-6451
AI Engine 2.4.3 is susceptible to remote-code-execution RCE via Log Poisoning. The AI Engine WordPress plugin before 2.5.1 fails to validate the file extension of "logspath", allowing Administrators to change log filetypes from .log to .php...
CVE-2024-38791
Server-Side Request Forgery SSRF vulnerability in Jordy Meow AI Engine: ChatGPT Chatbot allows Server Side Request Forgery.This issue affects AI Engine: ChatGPT Chatbot: from n/a through 2.4.7...
CVE-2024-10499
The AI Engine WordPress plugin before 2.6.5 does not sanitize and escape a parameter from one of its RESP API endpoint before using it in a SQL statement, allowing admins to perform SQL injection attacks...
CVE-2023-2580
The AI Engine WordPress plugin before 1.6.83 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example, in multisite setup...