cbcvebase.
CVE-2025-3623
published 2025-05-14

CVE-2025-3623: The Uncanny Automator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.4.0.1 via deserialization of untrusted…

PriorityP358critical9.1CVSS 3.1
AVNACLPRNUINSUCNIHAH
EPSS
0.77%
50.9th percentile
The Uncanny Automator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.4.0.1 via deserialization of untrusted input in the automator_api_decode_message() function. This makes it possible for unauthenticated to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files.

Affected

1 ranges
VendorProductVersion rangeFixed in
uncannyowluncanny_automator< 6.4.0.26.4.0.2
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.