CVE-2025-3623 is a critical security vulnerability identified in the Uncanny Automator plugin for WordPress, affecting all versions up to and including 6.4.0.1. The flaw arises from unsafe deserialization of untrusted data within the automator_api_decode_message() function, which processes incoming data without proper validation or sanitization. This leads to PHP Object Injection, a subclass of deserialization vulnerabilities (CWE-502), allowing attackers to inject crafted PHP objects. The vulnerability is exploitable remotely without authentication or user interaction, as the plugin accepts input that is deserialized insecurely. The presence of a Property Oriented Programming (POP) chain in the plugin's codebase enables attackers to chain gadget objects to perform malicious actions, specifically arbitrary file deletion on the server. This can disrupt website functionality, cause data loss, or facilitate further compromise. The CVSS v3.1 score of 9.1 reflects the vulnerability's network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on integrity and availability. Although no public exploits have been observed in the wild yet, the vulnerability's characteristics make it a prime target for attackers aiming to disrupt or compromise WordPress sites using this popular automation plugin.

The impact of CVE-2025-3623 is severe for organizations running WordPress sites with the Uncanny Automator plugin. Successful exploitation allows unauthenticated attackers to delete arbitrary files, potentially leading to website defacement, loss of critical data, disruption of business operations, and downtime. This can affect content availability and integrity, damaging organizational reputation and causing financial losses, especially for e-commerce, media, and service providers relying on WordPress automation workflows. Additionally, file deletion could be leveraged as a stepping stone for further attacks, such as privilege escalation or persistent backdoors if critical system or configuration files are targeted. The vulnerability’s ease of exploitation and lack of required authentication increase the risk of widespread attacks. Organizations with large WordPress deployments or those integrating complex workflows via this plugin are particularly vulnerable, potentially impacting millions of websites globally.

To mitigate CVE-2025-3623, organizations should immediately update the Uncanny Automator plugin to a patched version once released by the vendor. Until a patch is available, implement the following specific mitigations: 1) Restrict access to the plugin’s API endpoints by IP whitelisting or web application firewall (WAF) rules to block unauthorized requests targeting the automator_api_decode_message() function. 2) Employ strict input validation and sanitization at the web server or application firewall level to detect and block serialized PHP object payloads. 3) Disable or limit plugin features that accept external input for automation workflows if feasible. 4) Monitor web server logs for suspicious POST requests containing serialized data patterns indicative of exploitation attempts. 5) Regularly back up website files and databases to enable rapid recovery in case of file deletion or compromise. 6) Conduct security audits and penetration testing focusing on deserialization vulnerabilities in WordPress plugins. 7) Educate development and security teams about the risks of insecure deserialization and the importance of secure coding practices. These targeted actions will reduce the attack surface and limit potential damage until a vendor patch is deployed.