A serious authenticated PHP Object Injection vulnerability was identified. It directly impacted the Uncanny Automator WordPress plugin. This widely used plugin has over 50,000 active installations. Wordfence received the initial submission about this flaw on April 26th, 2024. An existing POP chain within the plugin aided potential exploits. The flaw allows attackers to delete arbitrary server files. This includes the absolutely vital wp-config.php configuration file. Such deletion can lead to complete site takeover by attackers. Remote code execution also becomes a severe, tangible risk. Authenticated attackers, even with subscriber-level access, could exploit this.
The security flaw was discovered by a researcher known as mikemyers. He responsibly reported it via Wordfence’s established Bug Bounty Program. This program actively encourages and rewards such important security discoveries. For his diligence and find, mikemyers earned a bounty of $1,021.00. Wordfence’s core mission is to secure WordPress sites thoroughly. They achieve this through a strategic defense-in-depth security approach. Investing in quality vulnerability research is fundamental to this mission. Collaborating with skilled researchers is also a critical element. Wordfence aims to make the entire WordPress ecosystem demonstrably more secure.
Wordfence first validated the submitted vulnerability report.
They also confirmed the proof-of-concept exploit. They then initiated contact with the Uncanny Owl team. This communication occurred on April 15, 2025. They asked the vendor to confirm a secure inbox for discussion. The vendor confirmed their inbox for handling the discussion that same day. Wordfence promptly sent over the full disclosure details. The Uncanny Owl team acknowledged the serious report. They began working on a fix almost immediately. The fully patched plugin, version 6.4.0.2, was then released.
This crucial update occurred on April 18, 2025. Their swift action was highly commendable. Users must update their sites urgently.
Wordfence Premium, Care, and Response users received a firewall rule. This key protection was deployed to their sites on April 22, 2025. Sites using the free Wordfence version will get this protection later. Their identical firewall protection activates on May 22, 2025. The vulnerability, CVE-2025-3623, holds a high CVSS score of 8.1. It specifically affected plugin versions up to and including 6.4.0.1. The core issue was found in the automator_api_decode_message() function. This function decodes, decrypts, and then unserializes input messages. Attackers could unfortunately control the decryption secret code. This allowed the injection of malicious PHP objects. A POP chain then facilitated the arbitrary file deletion. Deleting wp-config.php forces the site into a setup state. Attackers could then redirect it to their own database.
Reference:
