CVE-2024-13838

Name of the Vulnerable Software and Affected Versions: The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress versions up to, and including, 6.2

Description: The issue allows authenticated attackers with Administrator-level access and above to make web requests to arbitrary locations originating from the web application. This can be used to query and modify information from internal services via the call webhook method of the Automator Send Webhook class.

Recommendations: For versions up to, and including, 6.2, consider disabling the call webhook method of the Automator Send Webhook class as a temporary workaround until a patch is available. Restrict access to the Automator Send Webhook class to minimize the risk of exploitation. Avoid using the call webhook method in the affected plugin until the issue is resolved.