Description
The "AI Power: Complete AI Pack" plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.8.96 via deserialization of untrusted input from the $form['post_content'] variable through the wpaicg_export_ai_forms() function. This allows authenticated attackers, with administrative privileges, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Published: 2025-01-22
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Potential Code Execution or Data Loss via PHP Object Injection
Action: Immediate Patch
AI Analysis

Impact

The AI Power: Complete AI Pack plugin contains a PHP Object Injection flaw that arises when attacker‑controlled data from the $form['post_content'] field is deserialized in the wpaicg_export_ai_forms() function. The flaw requires the attacker to have administrative privileges on the WordPress site. While the plugin itself does not implement a PHP Object Power (POP) chain, the injected object can be leveraged by a POP chain introduced in another plugin or theme to delete arbitrary files, read sensitive data, or execute arbitrary code, thereby compromising confidentiality, integrity, or availability of the site.

Affected Systems

WordPress sites running the AI Power: Complete AI Pack plugin version 1.8.96 or earlier, developed by senols under the brand AI Puffer – Your AI engine for WordPress, are impacted. The vulnerability is present in all affected releases regardless of the site's configuration, as long as an administrator can trigger the export function.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity. The EPSS score of less than 1% suggests that exploitation is currently unlikely but should not be discounted, especially in environments where the attacker already has administrative credentials. The vulnerability is not listed in the CISA KEV catalog. An effective attack would require the presence of an additional POP chain; if none exists, the risk is lower. However, many WordPress installations host multiple plugins and themes, making a POP chain a realistic scenario. Administrators should therefore assume a potentially significant threat if the site is not already protected against such injection attacks.

Generated by OpenCVE AI on April 21, 2026 at 22:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the AI Power: Complete AI Pack plugin to a version newer than 1.8.96.
  • If an update is not yet available, consider disabling or removing the plugin entirely until a patch is released. If the function must remain, restrict the export functionality to trusted users only and remove or block the use of wpaicg_export_ai_forms.
  • Review all installed themes and plugins for other PHP Object Injection or POP vulnerabilities, and apply patches or remove those components to eliminate the possibility of a chained exploitation.

Generated by OpenCVE AI on April 21, 2026 at 22:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-1663 The "AI Power: Complete AI Pack" plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.8.96 via deserialization of untrusted input from the $form['post_content'] variable through the wpaicg_export_ai_forms() function. This allows authenticated attackers, with administrative privileges, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
History

Fri, 24 Jan 2025 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Aipower
Aipower aipower
CPEs cpe:2.3:a:aipower:aipower:*:*:*:*:*:wordpress:*:*
Vendors & Products Aipower
Aipower aipower

Wed, 22 Jan 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Jan 2025 07:45:00 +0000

Type Values Removed Values Added
Description The "AI Power: Complete AI Pack" plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.8.96 via deserialization of untrusted input from the $form['post_content'] variable through the wpaicg_export_ai_forms() function. This allows authenticated attackers, with administrative privileges, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Title AI Power: Complete AI Pack <= 1.8.96 - Authenticated (Admin+) PHP Object Injection via wpaicg_export_ai_forms
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Aipower Aipower
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:18:30.901Z

Reserved: 2025-01-13T16:56:10.632Z

Link: CVE-2025-0429

cve-icon Vulnrichment

Updated: 2025-01-22T14:23:14.041Z

cve-icon NVD

Status : Analyzed

Published: 2025-01-22T08:15:09.173

Modified: 2025-01-24T20:51:18.657

Link: CVE-2025-0429

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T22:30:06Z

Weaknesses