WordPress Plugin Vulnerabilities

Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin < 6.3 - Authenticated (Admin+) Server-Side Request Forgery via Webhook

Description

The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.2 via the 'call_webhook' method of the Automator_Send_Webhook class This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

Affects Plugins

Plugin icon
uncanny-automator
Fixed in 6.3

References

CVE
CVE-2024-13838
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/29eeac86-6b33-49e6-a7e1-c80dee383d6f

Classification

Type
SSRF
OWASP top 10
A1: Injection
CWE
CWE-918
CVSS
5.5 (medium)

Miscellaneous

Original Researcher
Francesco Carlucci
Verified
No
WPVDB ID
99bf5ad1-471d-4e88-9647-d2c9cd69cdc4

Timeline

Publicly Published
2025-03-11 (about 1 year ago)
Added
2025-03-11 (about 1 year ago)
Last Updated
2025-03-12 (about 1 year ago)

Other

Published
Title
Published
2026-02-08
Title
Fluent Forms Pro Add On Pack < 6.1.13 - Authenticated (Subscriber+) Server-Side Request Forgery via 'saveDataSource'
Published
2023-05-02
Title
Orbit Fox < 2.10.24 - Author+ Server-Side Request Forgery
Published
2024-04-16
Title
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator < 4.4.8 - Authenticated(Contributor+) Blind Server-Side Request Forgery (SSRF)
Published
2024-04-22
Title
Podlove Podcast Publisher < 4.0.12 - Authenticated (Contributor+) Server-Side Request Forgery
Published
2025-11-26
Title
AI ChatBot with ChatGPT and Content Generator by AYS < 2.7.1 - Unauthenticated Server-Side Request Forgery via 'pinecone_url' Parameter