Add WordPress AI Engine MCP RCE exploit (CVE-2025-11749)

[Chocapikk]

Hello Metasploit Team,

This module exploits an unauthenticated vulnerability (CVE-2025-11749) in the WordPress AI Engine plugin, which has over 100,000 active installations. The vulnerability allows an attacker to create an administrator account via the MCP (Model Context Protocol) endpoint without authentication, then upload and execute a malicious plugin to achieve remote code execution.

Important Note

This vulnerability is not exploitable by default. The plugin must have the following options enabled:

• module_mcp
• mcp_core
• mcp_noauth_url

These options are typically configured by administrators who want to use the MCP feature with AI assistants.

Vulnerability Details

• CVE: CVE-2025-11749
• Affected Versions: <= 3.1.3
• Fixed Version: 3.1.4
• Plugin Installations: 100,000+

The plugin exposes MCP endpoints at /wp-json/mcp/v1/{token}/sse and /?rest_route=/mcp/v1/{token}/sse without proper authentication checks when mcp_noauth_url is enabled. This allows unauthenticated JSON-RPC calls to WordPress core functions like wp_create_user.

Module Features

• Automatic version detection via plugin readme
• Token discovery via both wp-json and ?rest_route= endpoints
• Unauthenticated administrator account creation
• Plugin upload and RCE via WordPress mixins
• Support for PHP and Unix payloads

Testing

Tested against WordPress 6.3.2 with AI Engine plugin 3.1.3. Both PHP and Linux Meterpreter payloads verified.

Thanks