What happened
WPScan/NVD disclosed a critical (CVSS 9.8) authentication design flaw in the AI Copilot WordPress plugin: OAuth tokens were never bound to a specific user identity, so any completed OAuth handshake yielded an admin-equivalent session capable of driving the plugin's MCP tool surface.
Why it matters
This is a concrete example of MCP tool authorization being trivially bypassable in a widely installed WordPress AI plugin — an unauthenticated attacker can escalate to full site administrator by abusing the agentic tool layer rather than a traditional web vulnerability, demonstrating the real-world blast radius of poorly scoped MCP tool permissions.
Attack vector
The plugin's OAuth flow does not bind issued access tokens to a specific WordPress user account. Any unauthenticated attacker who completes the public OAuth flow (which requires no privileged access) receives a valid token that the plugin then treats as an administrator session, allowing invocation of privileged MCP tools including arbitrary user creation and role escalation.
Affected systems
AI Copilot WordPress plugin before 1.5.4
Mitigation
Update to AI Copilot plugin version 1.5.4 or later, which binds OAuth tokens to the originating WordPress user.