CVE-2025-12844

Name of the Vulnerable Software and Affected Versions AI Engine versions prior to 3.1.9

Description The AI Engine plugin for WordPress is susceptible to PHP Object Injection through PHAR Deserialization. This occurs due to the deserialization of untrusted input within the rest simpleTranscribeAudio and rest simpleVisionQuery functions. Authenticated attackers with Subscriber-level access or higher can inject a PHP Object. The impact of this issue is limited unless another plugin or theme containing a PHP Object Injection (POP) chain is installed, which could allow for actions such as arbitrary file deletion, sensitive data retrieval, or code execution.

Recommendations Update AI Engine to version 3.1.9 or later.