CVE-2025-11749
Published: 05 November 2025
Summary
CVE-2025-11749 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Privacy and Disclosure risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and AU-13 (Monitoring for Information Disclosure).
Deeper analysis
The AI Engine plugin for WordPress is vulnerable to sensitive information exposure in all versions through 3.1.3. The flaw resides in the /mcp/v1/ REST API endpoint, which leaks the configured Bearer Token value whenever the No-Auth URL feature is enabled, corresponding to CWE-200.
Unauthenticated attackers can retrieve the token over the network and use it to establish a valid session. With that access they can execute numerous privileged operations, including creation of new administrator accounts, resulting in full privilege escalation. The vulnerability carries a CVSS 3.1 score of 9.8.
Public references include the plugin source at plugins.trac.wordpress.org, a changeset that addresses the exposure, and a detailed Wordfence advisory. The EPSS score currently stands at 0.8574 with a recorded peak of 0.8640.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-37802
Vulnerability details
The AI Engine plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.1.3 via the /mcp/v1/ REST API endpoint that exposes the 'Bearer Token' value when 'No-Auth URL' is enabled. This makes it…
more
possible for unauthenticated attackers to extract the bearer token, which can be used to gain access to a valid session and perform many actions like creating a new administrator account, leading to privilege escalation.
- CWE(s)
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai, mcp
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability exposes a bearer token via an unauthenticated REST API endpoint in a public-facing WordPress plugin, enabling exploitation of public-facing applications (T1190), stealing application access tokens (T1528), and use of valid accounts for actions like privilege escalation via admin account creation (T1078).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly restricts and protects sensitive bearer tokens within publicly accessible content like the WordPress plugin's REST API endpoint.
Filters sensitive bearer token information from API output responses to prevent exposure to unauthenticated attackers.
Monitors the REST API endpoint for unauthorized disclosure of bearer tokens enabling session hijacking.