CVE-2025-0428: 
WordPress vulnerability analysis and mitigation

The CVE-2025-0428 vulnerability affects the 'AI Power: Complete AI Pack' WordPress plugin versions up to and including 1.8.96. This PHP Object Injection vulnerability was discovered in January 2025 and involves the deserialization of untrusted input from the $form['postcontent'] variable through the wpaicgexport_prompts function (NVD, CVE).

The vulnerability is a PHP Object Injection flaw that occurs during the deserialization of untrusted input specifically in the $form['postcontent'] variable through the wpaicgexport_prompts function. The CVSS v3.1 base score is 7.2 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-502 (Deserialization of Untrusted Data) (NVD).

While no POP chain is present in the vulnerable plugin itself, if a POP chain exists via an additional plugin or theme installed on the target system, the vulnerability could allow authenticated attackers with administrative privileges to delete arbitrary files, retrieve sensitive data, or execute code (NVD).

The vulnerability has been patched in version 1.8.97 of the AI Power: Complete AI Pack plugin. Users should update to this version or later to mitigate the vulnerability (WordPress Patch).