Flaw in AI Engine Plugin Exposes WordPress Sites to Full Compromise

Threat: Vulnerability

Targeted Region: Global

Targeted Sector: Technology & IT

Criticality: Critical

EXECUTIVE SUMMARY:

A critical vulnerability CVE‑2025‑11749, CVSS 9.8 has been discovered in the popular AI Engine WordPress plugin versions up to 3.1.3 that allows unauthenticated attackers to expose a bearer token via the plugin’s “No-Auth URL” REST API endpoints and then leverage it to escalate privileges and compromise the site entirely — including upgrading a user to administrator, injecting malicious code, or installing back-doors.

RECOMMENDATION:

We strongly recommend you update the AI Engine WordPress plugin to version 3.1.4.

REFERENCES:

Critical CVE-2025-11749 Flaw in AI Engine Plugin Exposes WordPress Sites to Full Compromise

Recent Advisories

React Native CLI Vulnerability Enables Remote Code Execution

November 5, 2025

ShopLentor Plugin Vulnerability Grants Arbitrary Execution of PHP Code

November 5, 2025

Curly COMrades APT Exploits Hyper-V Virtual Machines to Hide Linux-Based Malware

November 5, 2025

Google’s AI ‘Big Sleep’ Uncovers Five Critical WebKit Vulnerabilities in Apple Devices

November 5, 2025

Flaw in AI Engine Plugin Exposes WordPress Sites to Full Compromise

Recent Advisories

Report an Incident