CVE-2025-6238 HIGH

CVE-2025-6238: AI Engine 2.8.4 - Insecure OAuth Implementation

Vendor Tigroumeow

Product AI Engine

Weakness CWE-601 · Open redirect

Published July 4, 2025

Last update July 8, 2025

View on NVD All CVEs

CVSS base score

8.0/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The AI Engine plugin for WordPress is vulnerable to open redirect in version 2.8.4. This is due to an insecure OAuth implementation, as the 'redirect_uri' parameter is missing validation during the authorization flow. This makes it possible for unauthenticated attackers to intercept the authorization code and obtain an access token by redirecting the user to an attacker-controlled URI. Note: OAuth is disabled, the 'Meow_MWAI_Labs_OAuth' class is not loaded in the plugin in the patched version 2.8.5.

Key dates

02Disclosure timeline

July 4, 2025 CVE published

July 8, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-6238

Related vulnerabilities

CVE-2025-6238: AI Engine 2.8.4 - Insecure OAuth Implementation

01Description

02Disclosure timeline

03References

04Related CVE