CVE-2025-6238

HIGH 8.0

AI Engine 2.8.4 - Insecure OAuth Implementation

CVSS Score

8.0

EPSS Score

0.0%

EPSS Percentile

0th

The AI Engine plugin for WordPress is vulnerable to open redirect in version 2.8.4. This is due to an insecure OAuth implementation, as the 'redirect_uri' parameter is missing validation during the authorization flow. This makes it possible for unauthenticated attackers to intercept the authorization code and obtain an access token by redirecting the user to an attacker-controlled URI. Note: OAuth is disabled, the 'Meow_MWAI_Labs_OAuth' class is not loaded in the plugin in the patched version 2.8.5.

CWE	CWE-601
Vendor	tigroumeow
Product	ai engine
Published	Jul 4, 2025
Last Updated	Jul 8, 2025

Stay Ahead of the Next One

Get instant alerts for tigroumeow ai engine

Be the first to know when new high vulnerabilities affecting tigroumeow ai engine are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

tigroumeow / AI Engine

2.8.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/1edc84fd-8cb5-4899-9444-1b6ae3144917?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/ai-engine/tags/2.8.4/labs/oauth.php plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset/3321384/ai-engine/trunk/labs/mcp.php plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset/3321384/ai-engine/trunk/labs/oauth.php

Credits

István Márton