100,000 WordPress Sites Affected by Privilege Escalation via MCP in AI Engine WordPress Plugin

On May 21st, 2025, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for an Insufficient Authorization to Privilege Escalation via MCP (Model Context Protocol) vulnerability in the AI Engine plugin, which is actively installed on more than 100,000 WordPress websites. This vulnerability can be exploited by authenticated attackers, with subscriber-level access and above, to get full access to the MCP and execute various commands like ‘wp_update_user’, allowing them to escalate their privileges to administrators by updating their user role. Please note that this vulnerability only critically affects users who have enabled the Dev Tools and then the MCP module in the settings, which is disabled by default.
The post 100,000 WordPress Sites Affected by Privilege Escalation via MCP in AI Engine WordPress Plugin appeared first on Wordfence.WordfenceRead More