Overview
CVE-2026-8719 is a high-severity privilege escalation vulnerability in the AI Engine – The Chatbot, AI Framework & MCP for WordPress plugin (version 3.4.9). The flaw resides in the plugin's Model Context Protocol (MCP) integration, where the OAuth bearer-token authorization path fails to enforce WordPress capability checks. As a result, any user presenting a valid OAuth token is granted full MCP access regardless of their actual WordPress role.
| Field | Value |
|---|---|
| CVE ID | CVE-2026-8719 |
| CVSS Score | 8.8 (High) |
| Affected Version | 3.4.9 and earlier |
| Vulnerability Type | Privilege Escalation |
| Authentication Required | Yes (Subscriber or higher) |
| Patch Available | Check plugin repository for updated version |
Technical Details
The vulnerability exists in the plugin's MCP OAuth authentication handler. When a request arrives carrying a valid OAuth bearer token, the code grants MCP access without calling current_user_can() or any equivalent WordPress capability check. This means a subscriber-level user — the lowest authenticated role in WordPress — can obtain MCP access that should be restricted to administrators.
The MCP (Model Context Protocol) integration provides direct access to AI model management features, site configuration, and potentially sensitive data stored in the plugin's context. Gaining unauthorized MCP access could allow an attacker to:
- Modify AI chatbot configurations and system prompts
- Access conversation history and user-submitted data
- Inject malicious instructions into AI model contexts
- Potentially pivot to broader WordPress administrative functions depending on what MCP exposes
Affected Products
- Plugin: AI Engine – The Chatbot, AI Framework & MCP for WordPress
- Affected Version: 3.4.9
- WordPress.org Slug:
ai-engine
Proof of Concept
The attack requires:
- A valid WordPress account with at minimum Subscriber role
- An OAuth token (obtainable through normal OAuth flows exposed by the plugin)
- Direct API calls to the MCP endpoint, bypassing intended role restrictions
No public proof-of-concept exploit code has been confirmed at time of publication.
Remediation
Immediate actions:
- Update the plugin to the latest available version — check the WordPress.org plugin repository or the plugin vendor's site for a patched release.
- Audit MCP access logs for unexpected activity from low-privileged accounts.
- Temporarily disable the MCP integration if an immediate patch is not available and the feature is not business-critical.
- Review user accounts for any unauthorized role escalation that may have occurred.
If running a multi-user WordPress installation with subscriber-level accounts, treat this as a high-priority patch.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low (Subscriber)
- User Interaction: None
- Scope: Unchanged
- Confidentiality / Integrity / Availability: High / High / High