PHP Object Injection Vulnerability in AI Power: Complete AI Pack for WordPress
CVE-2025-0428

7.2HIGH

What is CVE-2025-0428?

The AI Power: Complete AI Pack plugin for WordPress is susceptible to a PHP Object Injection vulnerability affecting versions up to 1.8.96. This vulnerability arises from the deserialization of untrusted data in the $form['post_content'] variable through the wpaicg_export_prompts function. Authenticated attackers with administrative privileges can exploit this weakness to inject malicious PHP Objects. While no direct PHP Object Payload (POP) chain is contained within the plugin itself, the presence of additional vulnerable plugins or themes on the target site could facilitate actions such as arbitrary file deletion, sensitive data retrieval, or even remote code execution.

Affected Version(s)

AI Puffer – Your AI engine for WordPress (formerly AI Power) 0 <= 1.8.96

References

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Tran Anh Duc
.