CVE-2025-3623

Опубликовано: 14 мая 2025

Источник: nvd

CVSS3: 9.1

EPSS Низкий

Описание

The Uncanny Automator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.4.0.1 via deserialization of untrusted input in the automator_api_decode_message() function. This makes it possible for unauthenticated to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files.

Ссылки

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:uncannyowl:uncanny_automator:*:*:*:*:*:wordpress:*:*

Версия до 6.4.0.2 (исключая)

EPSS

Процентиль: 60%

0.00398

Низкий

9.1 Critical

CVSS3

Дефекты

CWE-502

Связанные уязвимости

GHSA-35ch-876f-6mw7

CVSS3: 8.1

github

9 месяцев назад

The Uncanny Automator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.4.0.1 via deserialization of untrusted input in the automator_api_decode_message() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files.