Description
The Uncanny Automator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.4.0.1 via deserialization of untrusted input in the automator_api_decode_message() function. This makes it possible for unauthenticated to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files.
Published: 2025-05-14
Score: 9.1 Critical
EPSS: 1.1% Low
KEV: No
Impact: Unauthenticated PHP Object Injection enabling arbitrary file deletion
Action: Immediate Patch
AI Analysis

Impact

The Uncanny Automator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to 6.4.0.1 via deserialization of untrusted input in the automator_api_decode_message() function. This flaw allows an unauthenticated attacker to construct a malicious object that, when processed by the plugin, can delete arbitrary files on the server. The ability to remove files can lead to compromising configuration, injecting additional code, or facilitating further attacks.

Affected Systems

WordPress sites running the Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin by uncannyowl with versions <=6.4.0.1. The vulnerability applies to any installation that has this plugin exposed to outside traffic and does not restrict access to the automator_api_decode_message endpoint.

Risk and Exploitability

The CVSS score of 9.1 indicates high severity, while an EPSS score of 1% suggests a realistic but moderate chance of exploitation. The flaw is not listed in CISA's KEV catalog. The likely attack vector is unauthenticated HTTP requests targeting the automator API endpoint, which must be reachable without login credentials. Once the payload is sent, an attacker can induce file deletion, potentially escalating privileges or allowing further exploitation depending on server configuration.

Generated by OpenCVE AI on April 22, 2026 at 17:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Uncanny Automator plugin to version 6.4.0.2 or later.
  • If an upgrade cannot be performed immediately, disable the Uncanny Automator plugin or remove the exposed API endpoint that handles automator_api_decode_message to eliminate the deserialization vector.
  • Apply file‑system permissions that restrict write/delete access to the webroot and, if possible, configure a web‑application firewall rule to block unauthenticated requests to the automator API endpoint.

Generated by OpenCVE AI on April 22, 2026 at 17:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-14637 The Uncanny Automator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.4.0.1 via deserialization of untrusted input in the automator_api_decode_message() function. This makes it possible for unauthenticated to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files.
History

Tue, 12 Aug 2025 02:00:00 +0000

Type Values Removed Values Added
First Time appeared Uncannyowl
Uncannyowl uncanny Automator
CPEs cpe:2.3:a:uncannyowl:uncanny_automator:*:*:*:*:*:wordpress:*:*
Vendors & Products Uncannyowl
Uncannyowl uncanny Automator

Thu, 26 Jun 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 13 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Description The Uncanny Automator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.4.0.1 via deserialization of untrusted input in the automator_api_decode_message() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files. The Uncanny Automator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.4.0.1 via deserialization of untrusted input in the automator_api_decode_message() function. This makes it possible for unauthenticated to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files.
Title Uncanny Automator <= 6.4.0.1 - Authenticated (Subscriber+) PHP Object Injection in automator_api_decode_message Function Uncanny Automator <= 6.4.0.1 - Unauthenticated PHP Object Injection in automator_api_decode_message Function
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

 cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

Wed, 14 May 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 14 May 2025 03:00:00 +0000

Type Values Removed Values Added
Description The Uncanny Automator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.4.0.1 via deserialization of untrusted input in the automator_api_decode_message() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files.
Title Uncanny Automator <= 6.4.0.1 - Authenticated (Subscriber+) PHP Object Injection in automator_api_decode_message Function
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Uncannyowl Uncanny Automator
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:32:23.313Z

Reserved: 2025-04-15T01:34:31.565Z

Link: CVE-2025-3623

cve-icon Vulnrichment

Updated: 2025-05-14T13:26:17.602Z

cve-icon NVD

Status : Analyzed

Published: 2025-05-14T03:15:33.073

Modified: 2025-08-12T01:51:52.263

Link: CVE-2025-3623

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T17:30:22Z

Weaknesses