module
WordPress AI Engine Plugin MCP Unauthenticated Admin Creation to RCE
| Disclosed |
|---|
| Nov 4, 2025 |
Disclosed
Nov 4, 2025
Description
This module exploits an unauthenticated vulnerability in the WordPress AI Engine plugin
(versions via the MCP (Model Context Protocol) endpoint without authentication. The module supports
both `/wp-json/mcp/v1/` and `/?rest_route=/mcp/v1/` endpoints. Once an administrator
account is created, the module uploads and executes a malicious plugin to achieve remote
code execution (RCE).
(versions via the MCP (Model Context Protocol) endpoint without authentication. The module supports
both `/wp-json/mcp/v1/` and `/?rest_route=/mcp/v1/` endpoints. Once an administrator
account is created, the module uploads and executes a malicious plugin to achieve remote
code execution (RCE).
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.