Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total3
Critical0
High2
Medium1
Reset
Showing 1-3 of 3 records
Threat Entry Updated 2026-05-18

CVE-2026-8719 - AI Engine – The Chatbot, AI Framework & MCP for WordPress Plugin

The AI Engine – The Chatbot, AI Framework & MCP for WordPress plugin for WordPress is vulnerable to Privilege Escalation in version 3.4.9. This is due to missing WordPress capability enforcement in the MCP OAuth bearer-token authorization path, where any valid OAuth token causes MCP access to be granted without verifying administrator privileges. This makes it possible for authenticated (Subscriber+) attackers to invoke admin-level MCP tools and escalate privileges to Administrator.

PLUGIN AI Engine – The Chatbot, AI Framework & MCP for WordPress

CVE-2026-8719

HIGH CVSS 8.8 2026-05-17
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-1400 - AI Engine – The Chatbot, AI Framework & MCP for WordPress Plugin

The AI Engine – The Chatbot and AI Framework for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the `rest_helpers_update_media_metadata` function in all versions up to, and including, 3.3.2. This makes it possible for authenticated attackers, with Editor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The attacker can upload a benign image file, then use the `update_media_metadata` endpoint to rename it to a PHP file, creating an executable PHP…

PLUGIN AI Engine – The Chatbot, AI Framework & MCP for WordPress

CVE-2026-1400

HIGH CVSS 7.2 2026-01-28
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-0746 - AI Engine – The Chatbot, AI Framework & MCP for WordPress Plugin

The AI Engine plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.3.2 via the 'get_audio' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services, if "Public API" is enabled in the plugin settings, and 'allow_url_fopen' is set to 'On' on the server.

PLUGIN AI Engine – The Chatbot, AI Framework & MCP for WordPress

CVE-2026-0746

MEDIUM CVSS 6.4 2026-01-27
Open Full Technical Breakdown
Scroll to top