CVE-2025-5071

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-5071
The AI Engine plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'Meow_MWAI_Labs_MCP::can_access_mcp' function in versions 2.8.0 to 2.8.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to have full access to the MCP and run various commands like 'wp_create_user', 'wp_update_user' and 'wp_update_option', which can be used for privilege escalation, and 'wp_update_post', 'wp_delete_post', 'wp_update_comment' and 'wp_delete_comment', which can be used to edit and delete posts and comments.

8.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://plugins.trac.wordpress.org/browser/ai-engine/tags/2.8.1/labs/mcp.php#L43
https://plugins.trac.wordpress.org/changeset/3313554/ai-engine#file21
https://www.wordfence.com/threat-intel/vulnerabilities/id/0e7654a1-0020-4bf1-86be-bdb238a9fe0d?source=cve
Configurations

No configuration.

History

23 Jun 2025, 20:16

Type Values Removed Values Added
Summary
  • (es) El complemento AI Engine para WordPress es vulnerable a la modificación no autorizada de datos y a su pérdida debido a la falta de una comprobación de capacidad en la función «Meow_MWAI_Labs_MCP::can_access_mcp» en las versiones 2.8.0 a 2.8.3. Esto permite que atacantes autenticados, con acceso de suscriptor o superior, tengan acceso completo al MCP y ejecuten comandos como «wp_create_user», «wp_update_user» y «wp_update_option», que pueden usarse para la escalada de privilegios, y «wp_update_post», «wp_delete_post», «wp_update_comment» y «wp_delete_comment», que pueden usarse para editar y eliminar publicaciones y comentarios.

19 Jun 2025, 10:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-06-19 10:15

Updated : 2025-06-23 20:16

NVD link : CVE-2025-5071

Mitre link : CVE-2025-5071

CVE.ORG link : CVE-2025-5071

JSON object : View

Products Affected

No product.

CWE
CWE-863

Incorrect Authorization