Description
Subscriber PHP Object Injection in Uncanny Automator Pro <= 7.3.0.6 versions.
Published: 2026-06-26
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a PHP Object Injection flaw present in versions of the Uncanny plugin up to 7.3.0.6. The flaw allows an attacker to supply crafted serialized objects that the application des validation, which can lead to arbitrary code execution on the host. This represents a classic example of CWE‑502, a data serialization vulnerability, and can compromise the confidentiality, integrity, and availability of the site and its underlying infrastructure.

Affected Systems

Affected systems are WordPress installations that have the Uncanny Owl Uncanny Automator Pro plugin installed with a version less than or equal to 7.3.0.6. The plugin is distributed by Uncanny Owl and is commonly used to automate actions within WordPress. No other products or vendors are listed in the CNA data.

Risk and Exploitability

The CVSS score of 9.8 categorizes this flaw as critical, indicating a high likelihood of serious exploitation. The EPSS score is not available, so the current exploitation probability cannot be quantified, but the absence of a KEV listing does not diminish the severity. Based on the nature of PHP Object Injection, the most likely attack vector involves an attacker sending malicious payloads to the plugin via endpoints that accept serialized data; it may be possible through exposed APIs, form submissions, or direct requests. Specific prerequisites such as authentication are not detailed in the CVE description, so the exact attack path remains inferred.

Generated by OpenCVE AI on June 26, 2026 at 17:15 UTC.

Remediation

Vendor Solution

Update the WordPress Uncanny Automator Pro Plugin to the latest available version (at least 7.3.0.7).

OpenCVE Recommended Actions

  • Apply the latest WordPress Uncanny Automator Pro plugin version at least 7.3.0.7.
  • If the plugin is not essential, consider disabling or uninstalling it to remove the attack surface.
  • Regularly review WordPress and plugin updates, and validate that incoming data is not deserialized without explicit checks; follow best practices for input sanitization.

Generated by OpenCVE AI on June 26, 2026 at 17:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Subscriber PHP Object Injection in Uncanny Automator Pro <= 7.3.0.6 versions.
Title WordPress Uncanny Automator Pro plugin <= 7.3.0.6 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T16:48:56.403Z

Reserved: 2026-06-18T14:38:04.420Z

Link: CVE-2026-56057

cve-icon Vulnrichment

Updated: 2026-06-26T16:48:52.564Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T17:30:05Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data