PT-2026-60435 · Uncanny Owl · The Uncanny Automator – Easy Automation

·

CVE-2026-15008

·

Publicado

2026-07-16

·

Atualizado

2026-07-16

CVSS v3.1

8.1

Alta

VetorAV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the fr token function in all versions up to, and including, 7.3.1.4. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Exploitation requires a Forminator form connected to an Uncanny Automator recipe configured for 'Everyone', allowing unauthenticated form submissions to supply the malicious serialized payload; a gadget chain is present within the plugin via the Action Helpers Email destruct() method, meaning no external gadget library is required.

Correção

Deserialization of Untrusted Data

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-15008

Produtos afetados

The Uncanny Automator – Easy Automation