cvedb.io
CVE-2025-5071
HIGH · CVSS 8.8
EPSS exploitation probability: 0%
Published 2025-06-19T10:15:22.027 · Last modified 2026-06-17T09:47:08.380

Summary

The AI Engine plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'Meow_MWAI_Labs_MCP::can_access_mcp' function in versions 2.8.0 to 2.8.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to have full access to the MCP and run various commands like 'wp_create_user', 'wp_update_user' and 'wp_update_option', which can be used for privilege escalation, and 'wp_update_post', 'wp_delete_post', 'wp_update_comment' and 'wp_delete_comment', which can be used to edit and delete posts and comments.

Affected products

meowapps — ai_engine

Does this affect you?

Add your gear to cvedb and we'll alert you only when meowapps ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.