Cyber Resilience

CVE-2025-11749

Critical

Published: 05 November 2025

Published
05 November 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8574 99.4th percentile
Risk Priority 71 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-11749 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Privacy and Disclosure risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and AU-13 (Monitoring for Information Disclosure).

Deeper analysis

The AI Engine plugin for WordPress is vulnerable to sensitive information exposure in all versions through 3.1.3. The flaw resides in the /mcp/v1/ REST API endpoint, which leaks the configured Bearer Token value whenever the No-Auth URL feature is enabled, corresponding to CWE-200.

Unauthenticated attackers can retrieve the token over the network and use it to establish a valid session. With that access they can execute numerous privileged operations, including creation of new administrator accounts, resulting in full privilege escalation. The vulnerability carries a CVSS 3.1 score of 9.8.

Public references include the plugin source at plugins.trac.wordpress.org, a changeset that addresses the exposure, and a detailed Wordfence advisory. The EPSS score currently stands at 0.8574 with a recorded peak of 0.8640.

EU & UK References

Vulnerability details

The AI Engine plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.1.3 via the /mcp/v1/ REST API endpoint that exposes the 'Bearer Token' value when 'No-Auth URL' is enabled. This makes it…

more

possible for unauthenticated attackers to extract the bearer token, which can be used to gain access to a valid session and perform many actions like creating a new administrator account, leading to privilege escalation.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai, mcp

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1528 Steal Application Access Token Credential Access
Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

The vulnerability exposes a bearer token via an unauthenticated REST API endpoint in a public-facing WordPress plugin, enabling exploitation of public-facing applications (T1190), stealing application access tokens (T1528), and use of valid accounts for actions like privilege escalation via admin account creation (T1078).

CVEs Like This One

CVE-2026-25650Shared CWE-200
CVE-2026-40885Shared CWE-200
CVE-2026-26069Shared CWE-200
CVE-2024-13796Shared CWE-200
CVE-2025-25975Shared CWE-200
CVE-2024-12142Shared CWE-200
CVE-2025-25951Shared CWE-200
CVE-2025-15103Shared CWE-200
CVE-2026-34297Shared CWE-200
CVE-2024-26480Shared CWE-200

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly restricts and protects sensitive bearer tokens within publicly accessible content like the WordPress plugin's REST API endpoint.

prevent

Filters sensitive bearer token information from API output responses to prevent exposure to unauthenticated attackers.

detect

Monitors the REST API endpoint for unauthorized disclosure of bearer tokens enabling session hijacking.

References