CVE-2025-6238 is a high-severity vulnerability classified as an Open Redirect (CWE-601) found in version 2.8.4 of the tigroumeow AI Engine WordPress plugin. The root cause is an insecure OAuth implementation where the 'redirect_uri' parameter is not validated during the OAuth authorization flow. This flaw allows unauthenticated attackers to manipulate the redirection endpoint, causing the authorization code to be sent to an attacker-controlled URI. By intercepting this authorization code, attackers can obtain an OAuth access token, potentially granting them unauthorized access to protected resources or user accounts. The vulnerability requires user interaction, as the victim must initiate the OAuth flow, but no prior authentication is needed for the attacker to exploit it. The plugin author addressed this issue in version 2.8.5 by disabling OAuth and removing the vulnerable 'Meow_MWAI_Labs_OAuth' class. The CVSS v3.1 score of 8.0 reflects the high impact on confidentiality, integrity, and availability, with low attack complexity but requiring user interaction and limited privileges. No known exploits are currently reported in the wild, but the vulnerability poses a significant risk if weaponized, especially in environments where the AI Engine plugin is used for sensitive operations or data.

For European organizations, this vulnerability could lead to unauthorized access to sensitive data or systems integrated with the tigroumeow AI Engine plugin. Since the plugin is used within WordPress environments, which are prevalent across many sectors including government, healthcare, finance, and media, exploitation could result in data breaches, account takeover, and potential lateral movement within networks. The interception of OAuth tokens could allow attackers to impersonate users or escalate privileges, undermining trust in affected services. Additionally, compromised sites could be used to launch further phishing or social engineering attacks targeting European users. The impact is heightened in organizations relying on OAuth for secure authentication and authorization flows, as this vulnerability directly undermines those mechanisms.

Organizations should immediately upgrade the tigroumeow AI Engine plugin to version 2.8.5 or later, where OAuth is disabled and the vulnerable code removed. If upgrading is not immediately possible, administrators should disable OAuth functionality within the plugin configuration to prevent exploitation. Additionally, monitoring OAuth authorization logs for unusual redirect URIs or authorization code requests can help detect attempted exploitation. Implementing strict Content Security Policy (CSP) headers and validating all redirect URIs at the application level can provide defense-in-depth. Educating users about phishing risks related to OAuth flows and encouraging cautious interaction with authorization prompts is also recommended. Finally, organizations should audit their OAuth client registrations to ensure redirect URIs are strictly controlled and whitelist only trusted endpoints.