CVE-2026-8719: Privilege Escalation in AI Engine

Executive Summary

CVE-2026-8719 is a high-severity (CVSS 8.8) privilege escalation vulnerability affecting version 3.4.9 of the AI Engine – The Chatbot, AI Framework & MCP for WordPress plugin. The vulnerability stems from missing capability enforcement in the MCP OAuth bearer-token authorization path. An authenticated Subscriber-level attacker can invoke administrative MCP tools by presenting a valid OAuth bearer token, resulting in full administrative compromise of the WordPress instance.

Root Cause Analysis

Technical investigation reveals that the vulnerability exists within the MCP authorization handling logic of the AI Engine plugin. When the plugin processes incoming MCP requests via the OAuth bearer-token path, it fails to perform necessary WordPress capability checks (e.g., current_user_can('manage_options')) before granting access to the underlying AI framework and associated administrative tools.

Any user authenticated with a valid OAuth token—regardless of their WordPress role—is treated as an authorized entity by the MCP interface. This bypass allows non-administrative users to execute sensitive administrative actions that should be restricted to users with the Administrator role.

Technical Details

The vulnerable endpoint is located within the plugin’s REST API implementation for MCP integration. The authorization check intended to guard administrative MCP tools relies solely on the presence of a valid OAuth bearer token rather than validating the permissions associated with the WordPress user account linked to that token.

Vulnerability Mechanics

• Affected Component: MCP OAuth Bearer Token Authorization Path.
• Vulnerability Type: Improper Privilege Management (CWE-269).
• Attack Vector: Network-based, requiring low-privileged authentication.
• Authentication Requirement: Authenticated (Subscriber+).

Forensic Artifacts and Indicators of Compromise (IOCs)

Security operations teams should monitor for the following indicators:

• Audit Logs: Unauthorized execution of AI Engine administrative tasks by user accounts with Subscriber, Contributor, or Author roles.
• REST API Traffic: Requests to /wp-json/ai-engine/v1/mcp/* endpoints characterized by unexpected OAuth token usage by non-administrative users.
• Configuration Changes: Unexpected modifications to plugin-managed AI framework settings or chatbot configurations.

Mitigation and Detection

Immediate patching to version 3.5.0 or later is required to address this vulnerability. If patching is delayed, administrators are advised to disable the AI Engine plugin entirely.

Detection Rules

Sigma Rule

title: Potential MCP Privilege Escalation in AI Engine
id: 593c20d-3422-4817-9639
status: experimental
description: Detects unauthorized administrative access to MCP endpoints in AI Engine.
logsource:
  product: wordpress
  category: web_server
detection:
  selection:
    url|contains: '/wp-json/ai-engine/v1/mcp/'
  condition: selection
priority: high

KQL Rule

WebLogs
| where RequestPath contains "/wp-json/ai-engine/v1/mcp/"
| where UserRole != "administrator"
| project TimeGenerated, ClientIP, UserRole, RequestPath, RequestHeaders

References

• NVD - CVE-2026-8719
• Wordfence Threat Intel
• Plugin Changeset