9.1

CVE-2025-3623

EPSS 0.25%
Veröffentlicht 14.05.2025 02:23:17
Zuletzt bearbeitet 12.08.2025 01:51:52
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

Uncanny Automator <= 6.4.0.1 - Unauthenticated PHP Object Injection in automator_api_decode_message Function

The Uncanny Automator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.4.0.1 via deserialization of untrusted input in the automator_api_decode_message() function. This makes it possible for unauthenticated to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files.

Mögliche Gegenmaßnahme

Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin: Update to version 6.4.0.2, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 9

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin

Version * - 6.4.0.1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Uncannyowl ≫ Uncanny Automator SwPlatformwordpress Version < 6.4.0.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.25%	0.483

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@wordfence.com	9.1	3.9	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

https://www.wordfence.com/threat-intel/vulnerabilities/id/00bcfd8f-9785-449a-a0ea-16e2583d684a?source=cve

Third Party Advisory

https://wordpress.org/plugins/uncanny-automator/#developers

Release Notes

https://plugins.trac.wordpress.org/browser/uncanny-automator/trunk/src/core/lib/helpers/class-automator-recipe-helpers.php#L540

Product

https://plugins.trac.wordpress.org/changeset/3276577/uncanny-automator/trunk/src/core/lib/helpers/class-automator-recipe-helpers.php

Patch

https://automatorplugin.com/knowledge-base/uncanny-automator-changelog/#6-4-0-2-2025-04-18

Release Notes

https://www.wordfence.com/threat-intel/vulnerabilities/id/00bcfd8f-9785-449a-a0ea-16e2583d684a

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-3623

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-3623

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-3623

EUVD