CVE-2025-0429

Name of the Vulnerable Software and Affected Versions AI Power: Complete AI Pack versions up to, and including, 1.8.96

Description The issue concerns a PHP Object Injection vulnerability. It arises from the deserialization of untrusted input from the post content variable through the wpaicg export ai forms() function. This allows authenticated attackers with administrative privileges to inject a PHP object. No POP chain is present in the vulnerable plugin. However, if a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Recommendations For versions up to, and including, 1.8.96, update to a version higher than 1.8.96 to resolve the issue. As a temporary workaround, consider restricting access to the wpaicg export ai forms() function until a patch is available. Additionally, avoid using the post content variable in the affected function to minimize the risk of exploitation.