Over 100,000 WordPress Sites Exposed to Privilege Escalation via MCP AI Engine

The Wordfence Threat Intelligence team identified a severe security flaw in the AI Engine plugin, a widely used tool installed on over 100,000 WordPress websites.

This vulnerability, classified as an Insufficient Authorization to Privilege Escalation via Model Context Protocol (MCP), has a CVSS score of 8.8 (High) and has been assigned the identifier CVE-2025-5071.

Affecting versions 2.8.0 to 2.8.3 of the plugin, the flaw allows authenticated attackers with subscriber-level access or higher to gain full control over the MCP module, enabling them to execute critical commands such as ‘wp_update_user’.

This can result in privilege escalation by modifying user roles to administrator level, posing a significant risk of complete site compromise.

Importantly, the issue critically impacts only those users who have manually enabled the Dev Tools and MCP module in the plugin settings, both of which are disabled by default ...