PHP Object Injection Vulnerability in AI Power: Complete AI Pack for WordPress
CVE-2025-0429
7.2HIGH
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 22 January 2025
What is CVE-2025-0429?
The AI Power: Complete AI Pack plugin for WordPress is susceptible to a PHP Object Injection vulnerability due to the unsafe deserialization of untrusted input from the $form['post_content'] variable in the wpaicg_export_ai_forms() function. This flaw allows authenticated users with administrative rights to exploit the vulnerability, potentially leading to the injection of malicious PHP objects. While there is no inherent PHP Object Pollution (POP) chain in this plugin, the presence of an additional vulnerable plugin or theme on the same site could enable the attacker to delete files, steal sensitive information, or execute arbitrary code.
Affected Version(s)
AI Puffer β Your AI engine for WordPress (formerly AI Power) 0 <= 1.8.96