Description
Unauthenticated PHP Object Injection in Uncanny Automator <= 7.3.1.2 versions.
Published: 2026-06-26
Score: 8.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated PHP Object Injection flaw exists in the WordPress Uncanny Automator plugin up to and including version 7.3.1.2. The plugin processes serialized data from users and directly instantiates objects during normal operation, enabling an attacker to craft a payload that can execute arbitrary code or otherwise compromise the site. The weakness is identified as CWE‑502 and can lead to a full site compromise if exploited.

Affected Systems

WordPress installations that host the Uncanny Owl Uncanny Automator plugin at version 7.3.1.2 or earlier. Because the plugin hooks into standard WordPress integration points and does not require special privileges to operate, any site running a vulnerable version is at risk.

Risk and Exploitability

The flaw carries a CVSS score of 8.1, indicating high severity, and is exploitable without authentication. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting no large‑scale exploitation has been recorded so far. Based on the description, it is inferred that the likely attack vector involves unauthenticated HTTP requests to publicly accessible endpoints that accept serialized input, such as the plugin’s REST API or other internal interfaces. Successful exploitation could enable remote code execution or privilege escalation on the affected server.

Generated by OpenCVE AI on June 26, 2026 at 17:19 UTC.

Remediation

Vendor Solution

Update the WordPress Uncanny Automator Plugin to the latest available version (at least 7.3.1.3).

OpenCVE Recommended Actions

  • Upgrade the Uncanny Automator plugin to version 7.3.1.3 or later, following the vendor’s official patch.
  • Restrict access to the plugin’s administrative pages or endpoints so that only users with administrative rights can interact with them.
  • Inspect the plugin’s code for custom serialization logic and replace insecure deserialization with safe handling or remove it entirely to address CWE‑502.
  • Perform a file integrity check on the plugin files to detect any malicious payloads that may have been injected before patching.

Generated by OpenCVE AI on June 26, 2026 at 17:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated PHP Object Injection in Uncanny Automator <= 7.3.1.2 versions.
Title WordPress Uncanny Automator plugin <= 7.3.1.2 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T17:43:37.733Z

Reserved: 2026-06-18T14:37:29.430Z

Link: CVE-2026-56031

cve-icon Vulnrichment

Updated: 2026-06-26T17:34:05.879Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T17:30:05Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data