Uncanny Automator Easy Automation Integration Webhooks Workflow Builder Plugin
Monthly
Arbitrary file deletion in the Uncanny Automator WordPress plugin (all versions through 7.3.1.4) lets unauthenticated attackers delete any file on the server via untrusted PHP object deserialization in the fr_token function, and deleting a critical file such as wp-config.php can pivute WordPress into an installation/setup state that yields remote code execution. Exploitation is gated by a specific setup: a Forminator form must be connected to an Uncanny Automator recipe whose trigger is configured for 'Everyone', which is what exposes the deserialization sink to anonymous form submissions. A self-contained gadget chain via Action_Helpers_Email::__destruct() ships inside the plugin, so no external gadget library is needed; reported by Wordfence with no public exploit identified at time of analysis and no CISA KEV listing.
Arbitrary file deletion in the Uncanny Automator WordPress plugin (all versions through 7.3.1.4) lets unauthenticated attackers delete any file on the server via untrusted PHP object deserialization in the fr_token function, and deleting a critical file such as wp-config.php can pivute WordPress into an installation/setup state that yields remote code execution. Exploitation is gated by a specific setup: a Forminator form must be connected to an Uncanny Automator recipe whose trigger is configured for 'Everyone', which is what exposes the deserialization sink to anonymous form submissions. A self-contained gadget chain via Action_Helpers_Email::__destruct() ships inside the plugin, so no external gadget library is needed; reported by Wordfence with no public exploit identified at time of analysis and no CISA KEV listing.