CVE-2025-5071: 
WordPress vulnerability analysis and mitigation

CVE-2025-5071 affects the AI Engine plugin for WordPress versions 2.8.0 to 2.8.3. The vulnerability stems from a missing capability check in the 'MeowMWAILabsMCP::canaccess_mcp' function, which was discovered and reported by Wordfence on June 19, 2025 (NVD).

The vulnerability exists due to improper authorization controls in the Model Context Protocol (MCP) module. The canaccessmcp() function fails to properly validate user capabilities, allowing any authenticated user with subscriber-level access to execute privileged commands. The vulnerability has been assigned a CVSS v3.1 score of 8.8 HIGH (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is classified as CWE-863 (Incorrect Authorization) (NVD, Security Online).

The vulnerability allows authenticated attackers with subscriber-level access to execute various privileged commands including 'wpcreateuser', 'wpupdateuser', and 'wpupdateoption' for privilege escalation, as well as 'wpupdatepost', 'wpdeletepost', 'wpupdatecomment' and 'wpdeletecomment' for content manipulation. This effectively enables complete site takeover by malicious users (Security Online).

Site administrators are urged to immediately update to version 2.8.4 of the AI Engine plugin, which includes a patch for this vulnerability. If immediate updating is not possible, it is recommended to ensure that Dev Tools and the MCP module are disabled (Security Online).