CVE-2026-8719 – AI Engine 3.4.9 – Authenticated (Subscriber+) Privilege Escalation via Missing Authorization in MCP OAuth Bearer Token

CVE ID :CVE-2026-8719

Published : May 17, 2026, 2:27 a.m. | 1 hour, 31 minutes ago

Description :The AI Engine – The Chatbot, AI Framework & MCP for WordPress plugin for WordPress is vulnerable to Privilege Escalation in version 3.4.9. This is due to missing WordPress capability enforcement in the MCP OAuth bearer-token authorization path, where any valid OAuth token causes MCP access to be granted without verifying administrator privileges. This makes it possible for authenticated (Subscriber+) attackers to invoke admin-level MCP tools and escalate privileges to Administrator.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2026-8728 – Open5GS NRF conv.c ogs_sbi_discovery_option_parse_plmn_list denial of service

CVE-2026-8725 – CoreWorxLab CAAL test-hass Endpoint webhooks.py server-side request forgery

CVE-2026-8724 – Dataease Data Dashboard SqlparserUtils.java SqlparserUtils.transFilter sql injection

CVE-2026-8723 – qs.stringify crashes on null/undefined entries in comma-format arrays under encodeValuesOnly