CVE-2025-3623 CRITICAL

CVE-2025-3623: Uncanny Automator <= 6.4.0.1 - Unauthenticated PHP Object Injection in automator_api_decode_message Function

Vendor Uncannyowl
Product Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin
Weakness CWE-502 · Unsafe deserialization
Published May 14, 2025
Last update April 8, 2026

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

What the vulnerability does

01Description

The Uncanny Automator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.4.0.1 via deserialization of untrusted input in the automator_api_decode_message() function. This makes it possible for unauthenticated to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files.

Explanation of Vulnerability in Simple Terms

02Summary

The Uncanny Automator plugin for WordPress contains a deserialization vulnerability in versions up to 6.4.0.1. An attacker can send a specially crafted request over the network to trigger unsafe deserialization of untrusted data. This can lead to modification of site data or denial of service without requiring authentication or user interaction.

What an attacker can do

03Attacker Capabilities

Modify site data or cause the site to become unavailable by sending a malicious request.

Potential impact on your site

04Site Impact

An attacker can alter site content or crash the site without logging in or tricking users.

Conditions required to exploit

05Prerequisites

Network access to the site; no authentication or user interaction required.

Key dates

06Disclosure timeline

May 14, 2025 CVE published
April 8, 2026 Record updated