CVE-2025-3623
Uncanny Automator <= 6.4.0.1 - Unauthenticated PHP Object Injection in automator_api_decode_message Function
Vexday Risk Score
28Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 9.1EPSS 0.8%KEV nãoPoC —Nuclei —Metasploit —Patch —
Lifecycle
14 May 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The Uncanny Automator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.4.0.1 via deserialization of untrusted input in the automator_api_decode_message() function. This makes it possible for unauthenticated to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Affected products
uncannyowl · Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder PluginWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://automatorplugin.com/knowledge-base/uncanny-automator-changelog/#6-4-0-2-2025-04-18https://plugins.trac.wordpress.org/browser/uncanny-automator/trunk/src/core/lib/helpers/class-automator-recipe-helpers.php#L540https://plugins.trac.wordpress.org/changeset/3276577/uncanny-automator/trunk/src/core/lib/helpers/class-automator-recipe-helpers.phphttps://wordpress.org/plugins/uncanny-automator/#developershttps://www.wordfence.com/threat-intel/vulnerabilities/id/00bcfd8f-9785-449a-a0ea-16e2583d684a?source=cve