What happened
AI Engine, a widely-used WordPress plugin that integrates GPT-based chatbots, content generation, and AI model management, contains a privilege escalation vulnerability in versions up to and including 3.4.9. Published June 15, 2026 (CVSS 7.2 HIGH). An Editor-level user can escalate to Administrator through an inadequately protected action or REST endpoint within the plugin.
Why it matters
AI Engine stores and manages OpenAI/GPT API keys, chatbot configurations, fine-tuned model settings, and AI-generated content pipelines. A privilege-escalated attacker gains control of all AI infrastructure configured through the plugin — including API key exfiltration for downstream LLM abuse — as well as full WordPress administrator access enabling further site compromise or supply-chain attacks on site visitors.
Attack vector
An authenticated attacker with at minimum Editor-level WordPress privileges exploits a missing capability check or improper authorization in AI Engine ≤ 3.4.9 to escalate privileges to Administrator, gaining full site control including access to stored OpenAI API keys and all AI model configuration.
Affected systems
AI Engine WordPress Plugin ≤ 3.4.9
Mitigation
Update AI Engine to version 3.5.0 or later. Advisory: https://patchstack.com/database/wordpress/plugin/ai-engine/vulnerability/wordpress-ai-engine-plugin-3-4-9-privilege-escalation-vulnerability