CVE Daily

CVE-2025-3623

The Uncanny Automator plugin for WordPress is vulnerable to PHP Object Injection...

Critical CVSS 9.1

Overview

The Uncanny Automator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.4.0.1 via deserialization of untrusted input in the automator_api_decode_message() function. This makes it possible for unauthenticated to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files.

CWE: CWE-502 Published: 2025-05-14T03:15:33.073
Risk analysis

This vulnerability is rated 🔴 CRITICAL.

  • CVSS: 9.1 (CRITICAL)
  • Detected tags: deserialization, wordpress (tag impact: MODERATE)

Recommended actions:

  • Avoid untrusted deserialization; prefer safe formats (JSON) and signatures.

Recommended tools

Tags