Uncanny Automator
Moderate fix1 remedy
cpe:2.3:a:uncannyowl:uncanny_automator:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 6.4.0.1
Uncanny Automator PHP Object Injection Vulnerability in WordPress
Vulnerability
Patched
A PHP Object Injection vulnerability has been identified in the Uncanny Automator plugin for WordPress, affecting all versions through 6.4.0.1. The vulnerability arises from the deserialization of untrusted input in the 'automator_api_decode_message()' function. This flaw allows authenticated attackers with Subscriber-level access and above to inject PHP objects. The presence of a Property-Oriented Programming (POP) chain could enable these attackers to delete arbitrary files.
Impact
Exploitation of this vulnerability allows for PHP Object Injection, which can lead to arbitrary file deletion.
Reproduction
To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a request that includes untrusted data. This data will be deserialized by the 'automator_api_decode_message()' function, allowing the injection of a PHP object. If a POP chain is present, the injected object can be manipulated to delete files on the server.
Remediation
Users are advised to update the Uncanny Automator plugin to version 6.4.0.2 or later.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
5.2impact
0.0exploitability
6.4remediation
7.7relevance
0.0threat
4.8urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.