The security hole is identified as CVE-2025-5071 with a high CVSS ranking of 8.8, affecting the AI Engine plugin versions from 2.8.0 to 2.8.3, allowing the attacker to have authenticated with the minimum access to the subscription level can gain full control of management of target WordPress websites. The affected subjects include personal pages, small businesses or blogs using this plugin to integrate artificial intelligence.
Focusing mainly on the incomplete authorization mechanism in the MCP function of the plugin, allowing AI agents like Claude or ChatGPT to control and manage WordPress websites by executing many different commands.
Technical method & attack chain
The serious vulnerability is discovered in WordPress AI Engine plugin related to a component called model contotocol (MCP). Although the MCP is not turned on by default, when the administrator actively activates the Dev Tools feature or integrates AI advanced, the MCP module will be opened and become a dangerous “gateway” for the attacker.
The vulnerability comes from the inaccurate test of access to the can_access_MCP () function. Instead of limiting the MCP feature for users who play the Administrator role, the system allows any user to log in (including the user) with the lowest right (Subscribe) is also allowed to send requests to sensitive APIs of the system.
More worrying, the system uses the “Bearer token” authentication model to decentralize but if the user sends the request without the empty token or token, the default system thinks it is a valid user, leading to serious escalation holes. That is, just login, hackers can send high administrative API requests without being rejected by the system.
Once the MCP is approached, hackers can take advantage of commands such as: wp_update_user, install_plugin, Activate_plugin or even upload toxic files to install webshell, thereby taking control of the entire website.
In short, this string of attacks allows the attacker to start with only low -level user accounts. But by sending the request to the API of the MCP, you can create a new user admin, install a toxic plugin or edit the system equivalent to the right to root of the entire WordPress website.
Scope & level of influence
- Number of influenced websites:> 100,000
- Scope: Global, any WordPress site installs a faulty plugin and enabled MCP
- Consequences: Completely controlling the website, installing backdoor, spam, shifting to the unique page, stealing data …
The points to note
- The vulnerability is not zero-day but is popular by the Dev Tools self-activation.
- This tactic is aimed at the lack of technical understanding or forgetting to turn off the Dev Tools modules.
Solutions & recommendations for users
- Update AI Engine plugin up to version 2.8.4 and above, the patch has released 18/6/2025. If not updated:
- Turn off the DEV Tools module and the model Context Protocol (MCP).
- Use Wordfence (new version) to block before patching.
- See the history of adding the User Admin for unknown source.
- Check the strange plugin, new file, webshell, etc.
- Review log rest associated with endpoint MCP.
- Avoid turning on the intensive module (as MCP) on the Production environment if not needed.
- Register to warn the plugin patch, update regularly.
- Use WAF + Web Application Monitoring to detect abnormal activity early.
The cve‑2025‑5071 vulnerability in the AI Engine plugin is a warning to the WordPress community that should not be carefree on the internal AI module if not carefully controlled. Because if hackers can take advantage and gain complete administration. Whether the plugin supports integrated chatgpt or Claude, it is necessary to be alert and update as soon as there is a patch. Website safety must always go hand in hand with strict rights and proactive defense.
According to whitehat.vn
Coordinated by experts of BkavVietnam cybersecurity community Whitehat
and science and technology community VnReview
