CVE-2025-3623
Uncanny Automator <= 6.4.0.1 - Unauthenticated PHP Object Injection in automator_api_decode_message Function
Vexday Risk Score
28Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 9.1EPSS 0.8%KEV nãoPoC —Nuclei —Metasploit —Patch —
Ciclo de vida
14 may 2025Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
The Uncanny Automator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.4.0.1 via deserialization of untrusted input in the automator_api_decode_message() function. This makes it possible for unauthenticated to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Productos afectados
uncannyowl · Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →Referencias
https://automatorplugin.com/knowledge-base/uncanny-automator-changelog/#6-4-0-2-2025-04-18https://plugins.trac.wordpress.org/browser/uncanny-automator/trunk/src/core/lib/helpers/class-automator-recipe-helpers.php#L540https://plugins.trac.wordpress.org/changeset/3276577/uncanny-automator/trunk/src/core/lib/helpers/class-automator-recipe-helpers.phphttps://wordpress.org/plugins/uncanny-automator/#developershttps://www.wordfence.com/threat-intel/vulnerabilities/id/00bcfd8f-9785-449a-a0ea-16e2583d684a?source=cve