2025-06-19 09:23:47
Wordfence
PUBLISHED
The AI Engine plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the Meow_MWAI_Labs_MCP::can_access_mcp function in versions 2.8.0 to 2.8.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to have full access to the MCP and run various commands like wp_create_user, wp_update_user and wp_update_option, which can be used for privilege escalation, and wp_update_post, wp_delete_post, wp_update_comment and wp_delete_comment, which can be used to edit and delete posts and comments.