cleantalk
Vulnerabilities and Security Researches

Uncanny Automator – Automate everything with the #1 automation, integration & webhooks plugin, CVE-2025-3623

CVE, Research URL

CVE-2025-3623

Home page URL

Security reports for Uncanny Automator – Automate everything with the #1 automation, integration & webhooks plugin

Application

Uncanny Automator – Automate everything with the #1 automation, integration & webhooks plugin

Published on
May 14, 2025
Research Description
The Uncanny Automator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.4.0.1 via deserialization of untrusted input in the automator_api_decode_message() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files.
Affected versions
Min -, max 6.4.0.2.
Status
vulnerable
Previous vulnerability researches
EZPlayer (CVE-2025-23950) , Jan 18, 2025
New vulnerability
WP Job Portal – A Complete Job Board (CVE-2025-47438) , May 15, 2025
Uncanny Automator – Automate everything with the #1 automation, integration & webhooks plugin (CVE-2025-3623) , May 15, 2025
Uncanny Automator – Automate everything with the #1 automation, integration & webhooks plugin (CVE-2025-4520) , May 15, 2025
WP Content Security Plugin (CVE-2025-4579) , May 15, 2025
B2i Investor Tools (CVE-2025-47458) , May 15, 2025