CVE-2026-8719 – AI Engine 3.4.9 – Authenticated (Subscriber+) Privilege Escalation via Missing Authorization in MCP OAuth Bearer Token

CVE ID :CVE-2026-8719

Published : May 17, 2026, 2:27 a.m. | 1 hour, 31 minutes ago

Description :The AI Engine – The Chatbot, AI Framework & MCP for WordPress plugin for WordPress is vulnerable to Privilege Escalation in version 3.4.9. This is due to missing WordPress capability enforcement in the MCP OAuth bearer-token authorization path, where any valid OAuth token causes MCP access to be granted without verifying administrator privileges. This makes it possible for authenticated (Subscriber+) attackers to invoke admin-level MCP tools and escalate privileges to Administrator.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…