Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
CVE-2026-8719: WordPress AI Engine Plugin allows unauthorized admin access
CVE-2026-8719
Summary
The WordPress AI Engine plugin has a security flaw that lets attackers with lower-level accounts gain full administrator access. This is a concern because it allows unauthorized users to make changes that could affect the entire website. To fix this, update the plugin to the latest version or remove it if you don't need it.
Original title
The AI Engine – The Chatbot, AI Framework & MCP for WordPress plugin for WordPress is vulnerable to Privilege Escalation in version 3.4.9. This is due to missing WordPress capability enforcement in...
Original description
The AI Engine – The Chatbot, AI Framework & MCP for WordPress plugin for WordPress is vulnerable to Privilege Escalation in version 3.4.9. This is due to missing WordPress capability enforcement in the MCP OAuth bearer-token authorization path, where any valid OAuth token causes MCP access to be granted without verifying administrator privileges. This makes it possible for authenticated (Subscriber+) attackers to invoke admin-level MCP tools and escalate privileges to Administrator.
nvd CVSS3.1
8.8
Vulnerability type
CWE-269
Improper Privilege Management
Published: 17 May 2026 · Updated: 28 May 2026 · First seen: 17 May 2026