Tran Anh Duc

**Name of the Vulnerable Software and Affected Versions** AI Power: Complete AI Pack plugin for WordPress versions up to, and including, 1.8.96 **Description** The issue allows authenticated attackers with administrative privileges to inject a PHP Object via deserialization of untrusted input from the `post content` variable through the `wpaicg export prompts` function. No POP chain is present in the vulnerable plugin. However, if a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. **Recommendations** For AI Power: Complete AI Pack plugin for WordPress versions up to, and including, 1.8.96, consider disabling the `wpaicg export prompts` function until a patch is available to prevent the deserialization of untrusted input from the `post content` variable. Restrict access to the plugin to minimize the risk of exploitation. Avoid using the `post content` variable in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** AI Power: Complete AI Pack versions up to, and including, 1.8.96 **Description** The issue concerns a PHP Object Injection vulnerability. It arises from the deserialization of untrusted input from the `post content` variable through the `wpaicg export ai forms()` function. This allows authenticated attackers with administrative privileges to inject a PHP object. No POP chain is present in the vulnerable plugin. However, if a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. **Recommendations** For versions up to, and including, 1.8.96, update to a version higher than 1.8.96 to resolve the issue. As a temporary workaround, consider restricting access to the `wpaicg export ai forms()` function until a patch is available. Additionally, avoid using the `post content` variable in the affected function to minimize the risk of exploitation.