Sensitive Information Exposure in AI Engine Plugin for WordPress
CVE-2025-11749

9.8CRITICAL

Key Information:

Vendor

WordPress
Status
Ai Engine
Vendor
CVE Published:
5 November 2025

What is CVE-2025-11749?

CVE-2025-11749 represents a critical vulnerability within the AI Engine plugin for WordPress, which is designed to enhance the functionality of WordPress websites through artificial intelligence features. The vulnerability centers around the exposure of sensitive information via the REST API and affects all versions up to and including 3.1.3. Specifically, the issue arises when the 'No-Auth URL' feature is enabled, inadvertently exposing the 'Bearer Token' value. This token is crucial for authenticating users within the system. As a result, unauthenticated attackers can exploit this weakness to extract the Bearer Token, enabling them to hijack a valid session and execute privileged actions. This could include malicious activities such as creating a new administrator account, which may significantly compromise the security and integrity of the affected WordPress installations.

Potential impact of CVE-2025-11749

  1. Unauthorized Access and Privilege Escalation: Attackers can leverage the exposed Bearer Token to gain unauthorized access to the WordPress site, allowing them to escalate their privileges to that of an administrator. This level of access can lead to complete control over the website, including changes to content, settings, and user management.

  2. Data Breach Risks: With administrative access, malicious actors can access sensitive data stored within the WordPress site. This could involve personal information of users, confidential business data, and proprietary content, thereby increasing the risk of data breaches that can have severe legal and financial repercussions for affected organizations.

  3. Compromise of Website Integrity: The ability to create new administrator accounts enables attackers to manipulate website content and functions. They could introduce malicious code or backdoors, affecting not only the compromised site but potentially causing collateral damage to connected networks and users, leading to further security incidents.

Affected Version(s)

AI Engine * <= 3.1.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/ai-engine/trun...
https://plugins.trac.wordpress.org/changeset/3380753/ai-e...

EPSS Score

80% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Emiliano Versini
JSON
.