CVE-2025-3623: 
WordPress vulnerability analysis and mitigation

The Uncanny Automator plugin for WordPress is vulnerable to PHP Object Injection in versions up to and including 6.4.0.1. The vulnerability exists in the automatorapidecode_message() function through deserialization of untrusted input. This security issue allows authenticated attackers with Subscriber-level access or higher to inject PHP Objects, which combined with a POP chain enables arbitrary file deletion (NVD, Wiz).

The vulnerability is present in the automatorapidecode_message() function within the class-automator-recipe-helpers.php file. The function handles message decoding from the Automator API but contains an insecure deserialization mechanism. The vulnerability has been assigned a CVSS v3.1 Base Score of 8.1 HIGH with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H (NVD, Wiz).

When exploited, this vulnerability allows authenticated attackers to delete arbitrary files on the affected WordPress installation. The impact is significant as it affects system integrity and availability, though confidentiality is not directly compromised (NVD).

The vulnerability has been patched in version 6.4.0.2 released on April 18, 2025. Users are strongly advised to update to this version or later. The patch includes additional modifications to further harden the automatorapidecode_message method (Automator Changelog).