WordPress Plugin Vulnerabilities

Uncanny Automator < 6.4.0.2 - Unauthenticated PHP Object Injection in automator_api_decode_message Function

Description

The Uncanny Automator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.4.0.1 via deserialization of untrusted input in the automator_api_decode_message() function. This makes it possible for unauthenticated to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files.

Affects Plugins

Plugin icon
uncanny-automator
Fixed in 6.4.0.2

References

CVE
CVE-2025-3623
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/00bcfd8f-9785-449a-a0ea-16e2583d684a

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
9.1 (critical)

Miscellaneous

Original Researcher
mikemyers, Gai Tanaka
Verified
No
WPVDB ID
f909961b-ffc4-41a4-9d8d-6b3b5a78f155

Timeline

Publicly Published
2025-05-13 (about 10 months ago)
Added
2025-05-13 (about 10 months ago)
Last Updated
2025-06-13 (about 9 months ago)

Other

Published
Title
Published
2025-04-15
Title
uListing <= 2.2.0 - Authenticated (Subscriber+) PHP Object Injection
Published
2023-12-26
Title
WP-Mobile-BankID-Integration < 1.0.1 - PHP Object Injection
Published
2022-08-08
Title
String Locator < 2.6.0 - Authenticated PHAR Deserialization
Published
2025-08-21
Title
s2Member < 250905 - Unauthenticated PHP Object Injection
Published
2022-12-27
Title
Google Analyticator < 6.5.6 - Admin+ PHP Object Injection