PHP Object Injection Vulnerability in AI Power: Complete AI Pack for WordPress
CVE-2025-0429

7.2HIGH

What is CVE-2025-0429?

The AI Power: Complete AI Pack plugin for WordPress is susceptible to a PHP Object Injection vulnerability due to the unsafe deserialization of untrusted input from the $form['post_content'] variable in the wpaicg_export_ai_forms() function. This flaw allows authenticated users with administrative rights to exploit the vulnerability, potentially leading to the injection of malicious PHP objects. While there is no inherent PHP Object Pollution (POP) chain in this plugin, the presence of an additional vulnerable plugin or theme on the same site could enable the attacker to delete files, steal sensitive information, or execute arbitrary code.

Affected Version(s)

AI Puffer – Your AI engine for WordPress (formerly AI Power) 0 <= 1.8.96

References

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Tran Anh Duc
.