CVE-2025-11749 Scanner

The WordPress AI Engine Plugin is a popular add-on for WordPress that enhances the website's capabilities by integrating AI functionalities. It is widely used by developers and website administrators to implement AI features easily on WordPress sites. The plugin is designed to be user-friendly and caters to both small and large websites seeking to incorporate artificial intelligence into their content management system. The plugin provides accessibility to advanced AI technologies without requiring extensive coding knowledge, making it a go-to choice for WordPress users. Furthermore, it is maintained and regularly updated, providing consistent improvements and support for users.

The Information Disclosure vulnerability in the WordPress AI Engine Plugin poses significant risks to affected websites. This vulnerability allows unauthorized access to sensitive information, specifically bearer tokens, via REST API endpoints in the plugin. It primarily occurs when the No-Auth URL feature is enabled, leading to potential exposure of sensitive data. Such vulnerabilities can raise concerns over data privacy and integrity, making it crucial to address them promptly. The critical severity of this vulnerability necessitates immediate attention and action to mitigate risks associated with unauthorized data access.

Technical details of the vulnerability reveal that the exposure occurs through REST API endpoints when the No-Auth URL option is activated. As a result, bearer tokens, which are crucial for authentication and authorization processes, are exposed through these endpoints. Indicative endpoints include "/wp-json/mcp/v1", where specific patterns such as "/messages" and "/sse" in API responses are linked to the vulnerability. These details highlight the need for secure API endpoint management to prevent potential security breaches.

Exploiting the Information Disclosure vulnerability could lead to severe consequences, including unauthorized access to sensitive areas of a website, such as admin panels or user data. Malicious actors with access to bearer tokens could impersonate legitimate users or escalate privileges, causing significant disruptions. Furthermore, the exposure of such sensitive information could lead to data breaches, loss of user trust, and potential reputational damage to the affected organizations or individuals. It underscores the importance of robust security practices and timely patching of vulnerabilities.

REFERENCES

• https://www.wordfence.com/blog/2025/11/100000-wordpress-sites-affected-by-privilege-escalation-vulnerability-in-ai-engine-wordpress-plugin/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11749