CVE-2025-3623: 
WordPress vulnerability analysis and mitigation

The Uncanny Automator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.4.0.1. The vulnerability exists in the automatorapidecode_message() function through deserialization of untrusted input. This security issue affects authenticated users with Subscriber-level access or higher, allowing them to inject PHP Objects. When combined with a POP chain, attackers can delete arbitrary files (NVD, Wiz).

The vulnerability is present in the automatorapidecode_message() function within the class-automator-recipe-helpers.php file. The function handles message decoding from the Automator API but contains an insecure deserialization mechanism. The vulnerability has been assigned a CVSS v3.1 Base Score of 8.1 HIGH with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H (NVD).

When exploited, this vulnerability allows authenticated attackers to delete arbitrary files on the affected WordPress installation. The impact is significant as it affects system integrity and availability, though confidentiality is not directly compromised (NVD).

The vulnerability has been patched in version 6.4.0.2 released on April 18, 2025. Users are strongly advised to update to this version or later. The patch includes additional modifications to further harden the automatorapidecode_message method (Automator Changelog).