What the vulnerability does
01Description
The Uncanny Automator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.4.0.1 via deserialization of untrusted input in the automator_api_decode_message() function. This makes it possible for unauthenticated to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files.
Explanation of Vulnerability in Simple Terms
02Summary
The Uncanny Automator plugin for WordPress contains a deserialization vulnerability in versions up to 6.4.0.1. An attacker can send a specially crafted request over the network to trigger unsafe deserialization of untrusted data. This can lead to modification of site data or denial of service without requiring authentication or user interaction.
What an attacker can do
03Attacker Capabilities
Modify site data or cause the site to become unavailable by sending a malicious request.
Potential impact on your site
04Site Impact
An attacker can alter site content or crash the site without logging in or tricking users.
Conditions required to exploit
05Prerequisites
Network access to the site; no authentication or user interaction required.
Key dates
06Disclosure timeline
May 14, 2025
CVE published
April 8, 2026
Record updated