{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-3623", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-04-15T01:34:31.565Z", "datePublished": "2025-05-14T02:23:17.305Z", "dateUpdated": "2026-04-08T16:32:23.313Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:32:23.313Z"}, "affected": [{"vendor": "uncannyowl", "product": "Uncanny Automator \u2013 Easy Automation, Integration, Webhooks & Workflow Builder Plugin", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "6.4.0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Uncanny Automator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.4.0.1 via deserialization of untrusted input in the automator_api_decode_message() function. This makes it possible for unauthenticated to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files."}], "title": "Uncanny Automator <= 6.4.0.1 - Unauthenticated PHP Object Injection in automator_api_decode_message Function", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/00bcfd8f-9785-449a-a0ea-16e2583d684a?source=cve"}, {"url": "https://wordpress.org/plugins/uncanny-automator/#developers"}, {"url": "https://plugins.trac.wordpress.org/browser/uncanny-automator/trunk/src/core/lib/helpers/class-automator-recipe-helpers.php#L540"}, {"url": "https://plugins.trac.wordpress.org/changeset/3276577/uncanny-automator/trunk/src/core/lib/helpers/class-automator-recipe-helpers.php"}, {"url": "https://automatorplugin.com/knowledge-base/uncanny-automator-changelog/#6-4-0-2-2025-04-18"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-502 Deserialization of Untrusted Data", "cweId": "CWE-502", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL"}}], "credits": [{"lang": "en", "type": "finder", "value": "Michael Mazzolini"}, {"lang": "en", "type": "finder", "value": "Gai Tanaka"}], "timeline": [{"time": "2025-05-13T14:20:55.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-26T17:52:02.631874Z", "id": "CVE-2025-3623", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-26T17:52:26.539Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-3623", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-06-26T17:52:02.631874Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-14T13:26:17.602Z"}}], "cna": {"title": "Uncanny Automator <= 6.4.0.1 - Unauthenticated PHP Object Injection in automator_api_decode_message Function", "credits": [{"lang": "en", "type": "finder", "value": "Michael Mazzolini"}, {"lang": "en", "type": "finder", "value": "Gai Tanaka"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 9.1, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"}}], "affected": [{"vendor": "uncannyowl", "product": "Uncanny Automator \u2013 Easy Automation, Integration, Webhooks & Workflow Builder Plugin", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "6.4.0.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-05-13T14:20:55.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/00bcfd8f-9785-449a-a0ea-16e2583d684a?source=cve"}, {"url": "https://wordpress.org/plugins/uncanny-automator/#developers"}, {"url": "https://plugins.trac.wordpress.org/browser/uncanny-automator/trunk/src/core/lib/helpers/class-automator-recipe-helpers.php#L540"}, {"url": "https://plugins.trac.wordpress.org/changeset/3276577/uncanny-automator/trunk/src/core/lib/helpers/class-automator-recipe-helpers.php"}, {"url": "https://automatorplugin.com/knowledge-base/uncanny-automator-changelog/#6-4-0-2-2025-04-18"}], "descriptions": [{"lang": "en", "value": "The Uncanny Automator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.4.0.1 via deserialization of untrusted input in the automator_api_decode_message() function. This makes it possible for unauthenticated to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:32:23.313Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3623", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:32:23.313Z", "dateReserved": "2025-04-15T01:34:31.565Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-05-14T02:23:17.305Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:uncannyowl:uncanny_automator:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "0A476B4A-5B38-4BE9-87A1-E712996324D5", "versionEndExcluding": "6.4.0.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Uncanny Automator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.4.0.1 via deserialization of untrusted input in the automator_api_decode_message() function. This makes it possible for unauthenticated to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files."}, {"lang": "es", "value": "El complemento Uncanny Automator para WordPress es vulnerable a la inyecci\u00f3n de objetos PHP en todas las versiones hasta la 6.4.0.1 incluida, mediante la deserializaci\u00f3n de entradas no confiables en la funci\u00f3n automator_api_decode_message(). Esto permite a atacantes autenticados, con acceso de suscriptor o superior, inyectar un objeto PHP. La presencia adicional de una cadena POP permite a los atacantes eliminar archivos arbitrarios."}], "id": "CVE-2025-3623", "lastModified": "2025-08-12T01:51:52.263", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-05-14T03:15:33.073", "references": [{"source": "security@wordfence.com", "tags": ["Release Notes"], "url": "https://automatorplugin.com/knowledge-base/uncanny-automator-changelog/#6-4-0-2-2025-04-18"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/uncanny-automator/trunk/src/core/lib/helpers/class-automator-recipe-helpers.php#L540"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3276577/uncanny-automator/trunk/src/core/lib/helpers/class-automator-recipe-helpers.php"}, {"source": "security@wordfence.com", "tags": ["Release Notes"], "url": "https://wordpress.org/plugins/uncanny-automator/#developers"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/00bcfd8f-9785-449a-a0ea-16e2583d684a?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T17:20:00.199867+00:00", "value": {"mitigation_remediation": ["Upgrade the Uncanny Automator plugin to version\u00a06.4.0.2\u00a0or later.", "If an upgrade cannot be performed immediately, disable the Uncanny Automator plugin or remove the exposed API endpoint that handles automator_api_decode_message to eliminate the deserialization vector.", "Apply file\u2011system permissions that restrict write/delete access to the webroot and, if possible, configure a web\u2011application firewall rule to block unauthenticated requests to the automator API endpoint."], "summary": {"action": "Immediate Patch", "impact": "Unauthenticated PHP Object Injection enabling arbitrary file deletion"}, "threat_synthesis": {"affected_systems": "WordPress sites running the Uncanny Automator \u2013 Easy Automation, Integration, Webhooks & Workflow Builder Plugin by uncannyowl with versions <=6.4.0.1. The vulnerability applies to any installation that has this plugin exposed to outside traffic and does not restrict access to the automator_api_decode_message endpoint.", "description_and_impact": "The Uncanny Automator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to\u00a06.4.0.1 via deserialization of untrusted input in the automator_api_decode_message() function. This flaw allows an unauthenticated attacker to construct a malicious object that, when processed by the plugin, can delete arbitrary files on the server. The ability to remove files can lead to compromising configuration, injecting additional code, or facilitating further attacks.", "risk_and_exploitability": "The CVSS score of 9.1 indicates high severity, while an EPSS score of 1% suggests a realistic but moderate chance of exploitation. The flaw is not listed in CISA's KEV catalog. The likely attack vector is unauthenticated HTTP requests targeting the automator API endpoint, which must be reachable without login credentials. Once the payload is sent, an attacker can induce file deletion, potentially escalating privileges or allowing further exploitation depending on server configuration."}}}}, "created": "2026-04-22T17:30:22.632615+00:00", "updated": "2026-04-22T17:30:22.632626+00:00", "vendors": []}