CVE-2025-0429
Published: 22 January 2025
Summary
CVE-2025-0429 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Aipower Aipower. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 42.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Other ATLAS/OWASP Terms risk domain.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of untrusted inputs like $form['post_content'] to prevent PHP object injection via unsafe deserialization in wpaicg_export_ai_forms().
Mandates timely remediation of flaws such as this PHP object injection vulnerability through patching, as documented in Wordfence and WordPress trac changeset 3224162.
Enables vulnerability scanning and monitoring to identify PHP object injection flaws like CVE-2025-0429 in WordPress plugins before exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
PHP Object Injection via deserialization enables arbitrary code execution (T1059), sensitive data retrieval (T1005), and arbitrary file deletion (T1070.004) if a POP chain is provided by another plugin or theme.
NVD Description
The "AI Power: Complete AI Pack" plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.8.96 via deserialization of untrusted input from the $form['post_content'] variable through the wpaicg_export_ai_forms() function. This allows authenticated attackers, with…
more
administrative privileges, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Deeper analysisAI
CVE-2025-0429 is a PHP Object Injection vulnerability (CWE-502) in the "AI Power: Complete AI Pack" WordPress plugin, affecting versions up to and including 1.8.96. The flaw stems from deserialization of untrusted input sourced from the $form['post_content'] variable within the wpaicg_export_ai_forms() function, enabling the injection of a PHP Object.
Authenticated attackers possessing administrative privileges can exploit this vulnerability over the network with low complexity and no user interaction required. While no Proof-of-POP (POP) chain is present in the vulnerable plugin itself, if a POP chain exists via another plugin or theme on the target system, exploitation could lead to arbitrary file deletion, retrieval of sensitive data, or arbitrary code execution. The issue carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
Advisories and patches are documented in Wordfence threat intelligence and WordPress plugin trac changeset 3224162.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Enterprise AI Assistants
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- The vulnerability affects the 'AI Power: Complete AI Pack' WordPress plugin, which provides AI features likely including assistants or integrations for WordPress sites, fitting the Enterprise AI Assistants category as an enterprise-level AI toolset.