Back to overview

CVE-2026-15008

HIGH
8.1
CVSS 3.1
Description
The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the fr_token function in all versions up to, and including, 7.3.1.4. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Exploitation requires a Forminator form connected to an Uncanny Automator recipe configured for 'Everyone', allowing unauthenticated form submissions to supply the malicious serialized payload; a gadget chain is present within the plugin via the Action_Helpers_Email __destruct() method, meaning no external gadget library is required.

Metadata

CVE ID
CVE-2026-15008
State
PUBLISHED
Assigner
Wordfence
Reserved
2026-07-07 21:26 UTC
Published
2026-07-16 07:51 UTC
Last updated
2026-07-16 07:51 UTC
Primary CWE
CWE-502
CWE-502 Deserialization of Untrusted Data
Vendor / Product
uncannyowl / Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin
Sources
cve.org  ·  NVD

Severity & Metrics

8.1 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products (1)
VendorProductPlatformVersions
uncannyowl Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin 0 ≤ 7.3.1.4
Weakness (CWE)
CWESourceDescription
CWE-502 cna CWE-502 Deserialization of Untrusted Data
CVSS scores (1)
ScoreSeverityVersionSourceVector
8.1 HIGH 3.1 cna CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Back to overview