CVE-2025-11749

CRITICAL EXPLOITED NUCLEI

WordPress AI Engine Plugin MCP Unauthenticated Admin Creation to RCE

Title source: metasploit

Exploitation Summary

CVE-2025-11749 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 4 public exploits from researchers including Nxploited, halilkirazkaya, Boshe99, including a Metasploit module exploits/multi/http/wp_ai_engine_mcp_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC exploits CVE-2025-11749, targeting a WordPress plugin vulnerability to create admin users and extract tokens. It includes multi-threading, token extraction, and session ID retrieval.

Description

The AI Engine plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.1.3 via the /mcp/v1/ REST API endpoint that exposes the 'Bearer Token' value when 'No-Auth URL' is enabled. This makes it possible for unauthenticated attackers to extract the bearer token, which can be used to gain access to a valid session and perform many actions like creating a new administrator account, leading to privilege escalation.

Exploits (4)

nomisec WORKING POC 6 stars

by Nxploited · infoleak

https://github.com/Nxploited/CVE-2025-11749

View Code ZIP pw:eip

This PoC exploits CVE-2025-11749, targeting a WordPress plugin vulnerability to create admin users and extract tokens. It includes multi-threading, token extraction, and session ID retrieval.

Classification

Working Poc 90%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: WordPress with vulnerable plugin (likely MCP or MWAI)

No auth needed

Prerequisites: Target URLs in a list file · Internet connectivity

MITRE ATT&CK

T1110 - Brute Force T1078 - Valid Accounts

devstral-2 · analyzed Feb 16, 2026 Full analysis →

github WRITEUP 4 stars

by halilkirazkaya · poc

https://github.com/halilkirazkaya/cve-poc-garage/tree/main/2025/CVE-2025-11749.md

View Code ZIP pw:eip

The repository provides a detailed technical analysis of CVE-2025-11749, an unauthenticated sensitive information exposure vulnerability in the AI Engine WordPress plugin. It includes a PoC demonstrating how the bearer token can be exposed via the /mcp/v1/ REST API endpoint, along with search queries for affected systems.

Classification

Writeup 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: AI Engine WordPress plugin (versions up to and including 3.1.3)

No auth needed

Prerequisites: AI Engine plugin installed and 'No-Auth URL' enabled

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 27, 2026 Full analysis →

github WORKING POC

by Boshe99 · pythonpoc

https://github.com/Boshe99/CVE-Exploits/tree/main/CVE-2025-11749

View Code ZIP pw:eip

The repository contains a functional exploit for CVE-2025-11749, targeting a WordPress plugin vulnerability. The script automates the process of checking for vulnerable endpoints, extracting tokens, and potentially exploiting the vulnerability to create admin users.

Classification

Working Poc 90%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: WordPress with vulnerable plugin (likely Meow Apps or similar)

No auth needed

Prerequisites: target URLs listed in a file · WordPress site with vulnerable plugin installed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Feb 27, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Emiliano Versini, Khaled Alenazi (Nxploited) · rubypocphp

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/wp_ai_engine_mcp_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2025-11749 in the WordPress AI Engine plugin (versions <= 3.1.3) by creating an unauthenticated admin account via the MCP endpoint and achieving RCE through plugin upload.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: WordPress AI Engine plugin <= 3.1.3

No auth needed

Prerequisites: WordPress site with vulnerable AI Engine plugin installed · Access to the MCP endpoint

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

WordPress AI Engine Plugin - Token Exposure

CRITICALVERIFIEDby 4m3rr0r

Shodan: http.html:"/wp-content/plugins/ai-engine/"

References (3)

Core 3

Core References

Product

https://plugins.trac.wordpress.org/changeset/3380753/ai-engine#file10

Product

https://plugins.trac.wordpress.org/browser/ai-engine/trunk/labs/mcp.php#L226

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/06eaf624-aedf-453d-8457-d03a572fac0d?source=cve

Scores

CVSS v3 9.8

EPSS 0.8574

EPSS Percentile 99.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2025-11-05

CWE

CWE-200

Status published

Products (2)

tigroumeow/AI Engine < 3.1.3

tigroumeow/AI Engine – The Chatbot, AI Framework & MCP for WordPress < 3.1.3

Published Nov 05, 2025

Tracked Since Feb 18, 2026