AI Engine is a WordPress plugin with over 100,000 active installations. It adds AI-powered chatbots, content generation tools, and – in more recent versions – a Model Context Protocol (MCP) endpoint. That endpoint enables deeper integrations with external AI systems. In October 2025, a critical vulnerability surfaced in how the plugin registered that MCP endpoint. Under certain configurations, the authentication token for the endpoint was publicly readable by anyone who knew where to look.
Mysterious admin account WordPress: The Token in the Public API Index
When the “No-Auth URL” option was enabled in AI Engine versions up to and including 3.1.3, the plugin registered its MCP REST API routes without setting show_in_index to false. That’s a subtle misconfiguration – but the consequence was significant. The bearer token used to authenticate with the MCP endpoint appeared in plain text inside the public /wp-json/ REST API index. Anyone who sent a GET request to that URL could read it.
An unauthenticated attacker could send a single request to /wp-json/. They could read the token from the response and use it to authenticate with the /mcp/v1/ endpoint. From there they could create new administrator accounts, modify site settings, or upload plugins. That means full administrative control, no password required. CVE-2025-11749 carries a CVSS score of 9.8.
Mysterious admin account WordPress: Low Noise, High Access
What makes this vulnerability particularly dangerous isn’t its complexity – it’s its quietness. There are no failed login attempts. No brute force activity. No error logs. An attacker who creates an admin account via a legitimate API token doesn’t trigger the usual alarms. They can return whenever they choose, with full access. That stays true until someone audits the Users list and notices an account that shouldn’t be there.
The technical root cause is simple: registering REST routes that contain sensitive data without excluding them from the public index. The fix in version 3.1.4 adds show_in_index => false to the route registration. A small change – but it only takes effect once someone applies the update.
A 15-Day Window
A security researcher reported the vulnerability through the Wordfence Bug Bounty Program on October 4, 2025. The fix shipped in AI Engine version 3.1.4 on October 19. That left a 15-day window during which the vulnerability existed without a patch. Sites still running version 3.1.3 or earlier remain exposed.
A CVSS 9.8 vulnerability in a plugin with six-figure install counts attracts automated exploitation quickly after disclosure. Sites that ran affected versions during that window should treat the possibility of compromise seriously. Check the Users list for unexpected administrator accounts. Review recently added plugins and theme modifications. Audit scheduled tasks. Rotate admin credentials.
What to Do
If AI Engine is installed, update to version 3.1.4 or later immediately. If you find administrator accounts you don’t recognize, treat the site as compromised. Delete the accounts. Rotate all admin passwords. Check theme files and active plugins for unexpected modifications.
The harder problem this CVE illustrates is the gap between “a fix exists” and “someone applies it.” Trusti Security’s vulnerability scanner handles exactly this scenario. When a CVE appears for an installed plugin, it flags the issue in your dashboard. It sends a notification through whichever channel you’re watching. That way you act before the exploitation window closes rather than after.