CVE-2025-12844
BaseFortify
Publication date: 2025-11-13
Last updated on: 2025-11-13
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | wordpress | 3.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a PHP Object Injection via PHAR Deserialization in the AI Engine plugin for WordPress versions up to 3.1.8. It occurs in the 'rest_simpleTranscribeAudio' and 'rest_simpleVisionQuery' functions, allowing authenticated users with Subscriber-level access or higher to inject a PHP object. However, it only has an impact if another plugin or theme with a POP (Property Oriented Programming) chain is installed, which could then enable actions like deleting files, retrieving sensitive data, or executing code.
How can this vulnerability impact me? :
If the vulnerable plugin is used alongside another plugin or theme containing a POP chain, an attacker with Subscriber-level access could exploit this vulnerability to delete arbitrary files, retrieve sensitive data, or execute arbitrary code on the affected WordPress site.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the AI Engine plugin for WordPress to a version later than 3.1.8 where the issue is fixed. Additionally, review and remove any plugins or themes that may contain POP chains which could be exploited in conjunction with this vulnerability. Limit Subscriber-level access and above to trusted users only, and monitor for unusual activity related to the 'rest_simpleTranscribeAudio' and 'rest_simpleVisionQuery' functions.