The message came on a Tuesday afternoon, mid-sprint. A developer at a small agency was doing a routine scan of a client’s WordPress site before pushing some WooCommerce changes to staging. Something caught his eye in the Users list: two admin accounts he didn’t recognize.
He pinged the client. Neither of them had created those accounts.
That sinking feeling – the one you get when you realize something has gone quietly wrong – had a name: CVE-2025-11749.
What Was Hiding in the REST API Index
AI Engine is a popular WordPress plugin with over 100,000 active installations. It lets site owners add AI-powered chatbots, content generators, and – in its newer iterations – a Model Context Protocol (MCP) endpoint that enables deeper AI integrations.
The problem wasn’t the feature itself. The problem was how the plugin registered it.
When the “No-Auth URL” option was enabled in AI Engine (versions up to and including 3.1.3), the plugin registered its MCP REST API routes without setting show_in_index to false. That’s a subtle misconfiguration – but the consequence was significant: the bearer token used to authenticate with the MCP endpoint appeared in plain text inside the public /wp-json/ REST API index, readable by anyone who knew to look.
An unauthenticated attacker could send a single GET request to /wp-json/, harvest the token, and use it to authenticate with the /mcp/v1/ endpoint. From there, they could create new administrator accounts, modify site settings, upload plugins – or do whatever they wanted. No password required. No brute force. No need to even touch a login form.
The CVE was scored 9.8 – Critical.
Low Noise, High Access
What makes this kind of vulnerability especially dangerous isn’t its complexity – it’s its quietness.
There are no error logs. No failed login attempts. No obvious signs of intrusion. An attacker who creates a stealthy admin account using a legitimate API token doesn’t set off the usual alarms. They can come back whenever they want, with full access, until someone notices there are two admins where there should be one.
For the developer in our example, the discovery came during a routine pre-deployment check. That’s luck, not security. The plugin had been exposing that token for weeks – ever since the last update cycled past without a review. Anything could have happened in the meantime: redirects inserted into the theme, a backdoor planted in a mu-plugins folder, affiliate links slipped quietly into product descriptions.
100,000 Sites and a Fifteen-Day Window
The vulnerability was reported through the Wordfence Bug Bounty Program on October 4, 2025. Developer Jordy Meow released a fix in AI Engine version 3.1.4 on October 19 – leaving a 15-day window during which the issue was known but unpatched.
For sites still running version 3.1.3 or earlier today, that window is still open.
The technical fix was straightforward – adding show_in_index => false to the REST route registration so the token no longer appears in the public API index. But a code fix only lands on a site if someone runs the update.
Closing the Door Before the Ghost Comes Back
If AI Engine is installed on any of your sites, check which version is running. Version 3.1.4 or later is safe. Anything older isn’t.
If you find any admin accounts you don’t recognize, treat them as compromised: delete the accounts, rotate all remaining admin passwords, audit recent changes to theme files and active plugins, and check for unexpected scheduled tasks or redirects.
The harder truth is that a 9.8 CVSS vulnerability in a plugin with six-figure install counts can sit unaddressed for weeks – not because the security community isn’t doing its job, but because the update never happens. Trusti Security’s vulnerability scanner is built for exactly this gap: when a CVE is published for an installed plugin, it flags the issue automatically, so you’re not discovering the problem during a code push or a client’s panicked phone call. For agencies managing multiple sites, having that notification arrive before the attacker does changes everything about the response window.
Update AI Engine, audit your Users list, and add a plugin review to your next maintenance pass. The ghost admin won’t come back if you close the door first.