CVE-2025-5071 — Incorrect Authorization in AI Engine

CWE-863 — Incorrect Authorization3 documents3 sources

Severity

8.8HIGHNVD

EPSS

0.2%

top 52.58%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Meowapps AI Engine Tigroumeow AI Engine

Timeline

PublishedJun 19

Description

The AI Engine plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'Meow_MWAI_Labs_MCP::can_access_mcp' function in versions 2.8.0 to 2.8.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to have full access to the MCP and run various commands like 'wp_create_user', 'wp_update_user' and 'wp_update_option', which can be used for privilege escalation, and 'wp_update_post', 'wp_…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDmeowapps/ai_engine2.8.0 — 2.8.4

▶CVEListV5tigroumeow/ai_engine2.8.0 — 2.8.3

Patches

Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

GHSA

GHSA-gg23-wpg2-g99p: The AI Engine plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'Meow_↗2025-06-19

▶

CVEList

AI Engine 2.8.0 - 2.8.3 - Authenticated (Subscriber+) Insufficient Authorization to Privilege Escalation via MCP↗2025-06-19

▶