Description
The "AI Power: Complete AI Pack" plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.8.96 via deserialization of untrusted input from the $form['post_content'] variable through the wpaicg_export_prompts function. This allows authenticated attackers, with administrative privileges, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Published: 2025-01-22
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: PHP Object Injection
Action: Patch
AI Analysis

Impact

The "AI Power: Complete AI Pack" WordPress plugin has a PHP Object Injection flaw in versions up to 1.8.96. The vulnerability arises when the plugin deserializes data from the $form['post_content'] variable within the wpaicg_export_prompts function, allowing an attacker to inject a PHP object. While no point of presentation (POP) chain exists within the plugin itself, the presence of a POP chain elsewhere—such as in another plugin or active theme—could turn the injection into code execution, arbitrary file deletion, or sensitive data exfiltration.

Affected Systems

WordPress sites running the senols AI Puffer (formerly AI Power) plugin at version 1.8.96 or earlier are impacted. The specific vendor is senols, and the plugin is known as AI Puffer. No additional version details beyond 1.8.96 are listed.

Risk and Exploitability

The CVSS base score of 7.2 indicates a medium‑high severity. The EPSS score of less than 1% suggests a very low likelihood of exploitation, and the vulnerability is not currently listed in the CISA KEV catalog. Attackers must be authenticated as administrators to exploit the flaw, making the requirement of administrative privileges a significant mitigating factor. Nevertheless, if an attacker obtains admin rights and a POP chain is present via another component, the impact could expand to full code execution or data loss.

Generated by OpenCVE AI on April 22, 2026 at 13:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the AI Power plugin to a version newer than 1.8.96 or uninstall it if no longer needed
  • Restrict administrative access to trusted users and remove unnecessary admin accounts
  • Audit and remove any plugins or themes that could supply a POP chain and are vulnerable to deserialization attacks

Generated by OpenCVE AI on April 22, 2026 at 13:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-1662 The "AI Power: Complete AI Pack" plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.8.96 via deserialization of untrusted input from the $form['post_content'] variable through the wpaicg_export_prompts function. This allows authenticated attackers, with administrative privileges, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
History

Fri, 24 Jan 2025 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Aipower
Aipower aipower
CPEs cpe:2.3:a:aipower:aipower:*:*:*:*:*:wordpress:*:*
Vendors & Products Aipower
Aipower aipower

Wed, 22 Jan 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Jan 2025 07:45:00 +0000

Type Values Removed Values Added
Description The "AI Power: Complete AI Pack" plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.8.96 via deserialization of untrusted input from the $form['post_content'] variable through the wpaicg_export_prompts function. This allows authenticated attackers, with administrative privileges, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Title AI Power: Complete AI Pack <= 1.8.96 - Authenticated (Admin+) PHP Object Injection via wpaicg_export_prompts
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Aipower Aipower
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:58:02.855Z

Reserved: 2025-01-13T16:54:57.091Z

Link: CVE-2025-0428

cve-icon Vulnrichment

Updated: 2025-01-22T14:26:24.533Z

cve-icon NVD

Status : Analyzed

Published: 2025-01-22T08:15:09.013

Modified: 2025-01-24T20:56:49.767

Link: CVE-2025-0428

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T13:45:18Z

Weaknesses