CVE-2026-15008
Uncanny Owl · Uncanny Automator
The Uncanny Automator plugin for WordPress contains a deserialization vulnerability that allows for arbitrary file deletion due to insufficient path validation in the fr_token function.
Executive summary
A critical deserialization vulnerability in the Uncanny Automator plugin for WordPress may allow unauthenticated attackers to delete arbitrary files on the server.
Vulnerability
The plugin is vulnerable to improper deserialization (CWE-502) within the fr_token function, which leads to insufficient file path validation. This flaw can be triggered to perform arbitrary file deletion, potentially disrupting site operations.
Business impact
Successful exploitation of this vulnerability could lead to the deletion of critical system files, potentially causing complete service outages or site instability. The CVSS score of 8.1 reflects the high risk posed to service availability, even though the attack requires specific conditions to trigger.
Remediation
Immediate Action: Update the Uncanny Automator plugin to version 7.4.0 or higher to patch the deserialization and file path validation flaws.
Proactive Monitoring: Monitor server logs for unexpected file deletion attempts or errors related to file access in plugin directories.
Compensating Controls: Utilize a Web Application Firewall (WAF) to filter malicious requests targeting the plugin's integration tokens and endpoints.
Exploitation status
Public Exploit Available: Unknown.
Analyst recommendation
The severity of this vulnerability necessitates an immediate update to version 7.4.0. Administrators should prioritize this patch to prevent potential service disruption and ensure the continued stability of the WordPress environment.