CVE-2025-0429
Published: 22 January 2025
Description
Adversaries may delete files left behind by the actions of their intrusion activity.
Security Summary
CVE-2025-0429 is a PHP Object Injection vulnerability (CWE-502) in the "AI Power: Complete AI Pack" WordPress plugin, affecting versions up to and including 1.8.96. The flaw stems from deserialization of untrusted input sourced from the $form['post_content'] variable within the wpaicg_export_ai_forms() function, enabling the injection of a PHP Object.
Authenticated attackers possessing administrative privileges can exploit this vulnerability over the network with low complexity and no user interaction required. While no Proof-of-POP (POP) chain is present in the vulnerable plugin itself, if a POP chain exists via another plugin or theme on the target system, exploitation could lead to arbitrary file deletion, retrieval of sensitive data, or arbitrary code execution. The issue carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
Advisories and patches are documented in Wordfence threat intelligence and WordPress plugin trac changeset 3224162.
Details
- CWE(s)
Affected Products
AI Security Analysis
- AI Category
- Enterprise AI Assistants
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- MITRE ATLAS Techniques
- None mapped
- Classification Reason
- The vulnerability affects the 'AI Power: Complete AI Pack' WordPress plugin, which provides AI features likely including assistants or integrations for WordPress sites, fitting the Enterprise AI Assistants category as an enterprise-level AI toolset.
MITRE ATT&CK Enterprise Techniques
Why these techniques?
PHP Object Injection via deserialization enables arbitrary code execution (T1059), sensitive data retrieval (T1005), and arbitrary file deletion (T1070.004) if a POP chain is provided by another plugin or theme.