Technical description
The AI Engine plugin for WordPress, which provides chatbot functionality and Model Context Protocol (MCP) integration, contains a privilege escalation vulnerability in version 3.4.9. The flaw stems from missing WordPress capability enforcement in the MCP OAuth bearer-token authorization code path. Any valid OAuth token grants MCP access without verifying that the authenticated user holds administrator privileges.
Attack vector
An authenticated attacker with Subscriber-level privileges (the lowest authenticated role in WordPress) can invoke admin-level MCP tools by presenting any valid OAuth token. The vulnerability lies in the authorization logic that checks token validity but skips the role-enforcement step, allowing low-privilege users to execute administrative operations through the MCP interface. Public registration is enabled on many WordPress sites, making Subscriber access trivial to obtain.
Affected systems
AI Engine plugin for WordPress version 3.4.9. The plugin has 50,000+ active installations. Sites with public user registration (allowing anyone to create a Subscriber account) face the highest exposure. MCP-enabled WordPress instances are specifically at risk.
Mitigation
Wordfence disclosed the vulnerability and Meow Apps (the plugin vendor) released version 3.4.10 on May 17, 2026 with a patch. Site administrators should update to version 3.4.10 immediately. For sites unable to update immediately: disable public user registration, audit existing Subscriber accounts for suspicious activity, review MCP OAuth token grants, and monitor admin-level operations in WordPress logs for anomalous tool calls from low-privilege sessions.