CVE-2025-3623
📋 TL;DR
The Uncanny Automator WordPress plugin contains a PHP object injection vulnerability that allows unauthenticated attackers to execute arbitrary code through deserialization of untrusted input. This affects all versions up to 6.4.0.1. Attackers can leverage this to delete arbitrary files on vulnerable WordPress installations.
💻 Affected Systems
- Uncanny Automator WordPress Plugin
📦 What is this software?
Uncanny Automator by Uncannyowl
⚠️ Risk & Real-World Impact
Worst Case
Complete site compromise including arbitrary file deletion, remote code execution, and potential data exfiltration leading to site takeover.
Likely Case
Arbitrary file deletion leading to site disruption, data loss, and potential privilege escalation through file manipulation.
If Mitigated
Limited impact with proper web application firewalls and file integrity monitoring detecting exploitation attempts.
🎯 Exploit Status
Exploitation requires sending specially crafted requests to vulnerable endpoints. The presence of POP chains makes reliable exploitation possible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.4.0.2
Vendor Advisory: https://automatorplugin.com/knowledge-base/uncanny-automator-changelog/#6-4-0-2-2025-04-18
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Uncanny Automator. 4. Click 'Update Now' if available. 5. Alternatively, download version 6.4.0.2+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Web Application Firewall Rule
allBlock requests containing serialized PHP objects to vulnerable endpoints
WAF specific - configure to block requests to /wp-json/automator/v1/* containing serialized PHP data
Temporary Plugin Deactivation
linuxDisable Uncanny Automator plugin until patched
wp plugin deactivate uncanny-automator
🧯 If You Can't Patch
- Disable Uncanny Automator plugin immediately
- Implement strict WAF rules blocking all requests to automator API endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Uncanny Automator → Version. If version is 6.4.0.1 or lower, system is vulnerable.Check Version:
wp plugin get uncanny-automator --field=versionVerify Fix Applied:
Verify plugin version is 6.4.0.2 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-json/automator/v1/* containing serialized PHP objects
- Unexpected file deletion events in system logs
- Automator API requests from unusual IP addresses
Network Indicators:
- HTTP requests with serialized PHP data in POST body to automator endpoints
- Unusual outbound connections following automator API access
SIEM Query:
source="web_logs" AND uri_path="/wp-json/automator/v1/*" AND (body CONTAINS "O:" OR body CONTAINS "C:" OR body CONTAINS "a:")🔗 References
- https://automatorplugin.com/knowledge-base/uncanny-automator-changelog/#6-4-0-2-2025-04-18
- https://plugins.trac.wordpress.org/browser/uncanny-automator/trunk/src/core/lib/helpers/class-automator-recipe-helpers.php#L540
- https://plugins.trac.wordpress.org/changeset/3276577/uncanny-automator/trunk/src/core/lib/helpers/class-automator-recipe-helpers.php
- https://wordpress.org/plugins/uncanny-automator/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/00bcfd8f-9785-449a-a0ea-16e2583d684a?source=cve
