CVE Watch · Last verified 2026-05-17

AI Engine Plugin: Any Subscriber Becomes Admin

On May 17, 2026, Wordfence Threat Intelligence published CVE-2026-8719, a CVSS 8.8 privilege escalation in the popular AI Engine — The Chatbot, AI Framework & MCP for WordPress plugin (v3.4.9). The plugin's MCP OAuth bearer-token authorization path skips the WordPress capability check, so any authenticated user (Subscriber and up) can invoke admin-only MCP tools and walk straight to Administrator. Patched in v3.4.10. If you run AI Engine, update today.

Verified facts

  • CVE-2026-8719. Privilege escalation in AI Engine plugin v3.4.9. CVSS 3.1: 8.8 (HIGH). Vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. CWE-269 (improper privilege management).
  • Plugin: AI Engine by Jordy Meow (Meow Apps). 50,000+ active installations on WordPress.org. Powers chatbots, AI Forms, AI Copilot, content generation, MCP integrations for ChatGPT / Claude / Claude Code.
  • Root cause: missing WordPress capability enforcement in the MCP OAuth bearer-token authorization path. Any valid OAuth token grants MCP access without verifying administrator privileges.
  • Who can exploit it: any authenticated user at Subscriber level or above. On WordPress sites that allow open registration (most WooCommerce, membership, and bbPress sites), that's anyone with an email address.
  • Impact: invoke admin-level MCP tools, escalate to Administrator, full site takeover (plugin install, theme edit, code execution via PHP plugins).
  • Public PoC: not yet, but the patch diff is public on plugins.trac.wordpress.org since May 17. Reverse-engineering an exploit from a diff this small takes hours, not days.
  • Wild exploitation: not confirmed as of 2026-05-17, but Wordfence's track record suggests automated scans within 7-14 days.
  • Patch: AI Engine v3.4.10. Auto-update or manual via WP admin → Plugins → Update.

Why this one matters even with PR:L

On paper PR:L (low privilege required) is "less bad" than PR:N (no privilege required). In practice it's worse than the score suggests. Three reasons:

First, most WordPress sites allow public Subscriber registration by default. A WooCommerce store, a membership site, a bbPress forum, anything with a "create account" link gives the attacker the only thing they need: any account. No 0-day, no phishing, no credential stuffing. Just sign up.

Second, AI Engine is installed on the kind of site that rarely has aggressive monitoring. Marketing sites, content blogs, customer support portals running an AI chatbot. Wordfence's free plan won't catch the OAuth path; only paid Wordfence Premium with active threat rules will.

Third, MCP-enabled WordPress sites often have AI agents (Claude Desktop, ChatGPT, Cursor) connected via OAuth tokens that already exist on the site. An attacker who escalates can use those existing tokens to pivot into other connected systems: GitHub repos, Slack workspaces, the AI agent's local filesystem.

Who should care

  • Any WordPress site running AI Engine plugin v3.4.9 or earlier. Check WP Admin → Plugins.
  • WooCommerce stores using AI Engine for chat / product Q&A. Public registration plus this plugin equals open admin door.
  • Agencies who installed AI Engine on multiple client sites. One compromised admin account on one site is enough to start lateral movement.
  • Multi-author publication sites (Author / Editor roles already have content access; this CVE escalates them to full admin).
  • Sites with MCP server enabled (the vulnerable code path) connected to Claude or ChatGPT desktop apps via OAuth.

Quick self-check

  1. Log into WP Admin → Plugins → search "AI Engine".
  2. If installed and version < 3.4.10, you're vulnerable. Update.
  3. If you can't update right now (compatibility concerns), deactivate AI Engine until you can.
  4. After updating, audit recent admin user creations: WP Admin → Users → Administrators. Anyone you didn't create gets deleted, then password-rotate everyone who's left.
  5. Check wp-content/plugins/ai-engine/ for unusual files added after the disclosure date. Anything not in the official zip is suspicious.

Workaround if you absolutely cannot update

Disable the MCP OAuth feature in AI Engine settings. Go to WP Admin → Meow Apps → AI Engine → Settings → MCP / OAuth. Toggle off the "MCP server" and "OAuth bearer token" options. This kills the vulnerable code path while keeping basic chatbot functionality alive. Re-enable once you've patched.

If your site allows public registration, also lock that down temporarily. WP Admin → Settings → General → "Anyone can register" → uncheck. This breaks the easiest exploit path while you plan the patch.

Free resources

Need help fixing this vulnerability?

Professional remediation by the same team that tracks these threats.

$49 Quick Patch Call 30-min screenshare, we update + audit your AI Engine install together
$99 WordPress Compromise Check Hidden admin scan + plugin file integrity + database audit
$199 Full WordPress Audit All plugins / themes / users / capabilities / hardening, written report
$299–$999 Incident Response If you find rogue admins or suspicious files, full cleanup and recovery
Request CVE repair

References