CVE-2025-3623

HIGH Year: 2025
CVSS v3 Score
8.1
High
Weakness Type
CWE-502
View all →

Vulnerability Description

The Uncanny Automator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.4.0.1 via deserialization of untrusted input in the automator_api_decode_message() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files.

Related Vulnerabilities

CVE-2016-10750

HIGH
CVSS:8.1(High)

In Hazelcast before 3.11, the cluster join procedure is vulnerable to remote code execution via Java deserialization. If an attacker can reach a listening Hazelcast instance with a crafted JoinRequest...

CWE-5022016

CVE-2017-1000034

HIGH
CVSS:8.1(High)

Akka versions <=2.4.16 and 2.5-M1 are vulnerable to a java deserialization attack in its Remoting component resulting in remote code execution in the context of the ActorSystem.

CWE-5022017

CVE-2017-1000053

HIGH
CVSS:8.1(High)

Elixir Plug before v1.0.4, v1.1.7, v1.2.3 and v1.3.2 is vulnerable to arbitrary code execution in the deserialization functions of Plug.Session.

CWE-5022017

CVE-2017-3199

HIGH
CVSS:8.1(High)

The Java implementation of GraniteDS, version 3.1.1.GA, AMF3 deserializers derives class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExter...

CWE-5022017

CVE-2017-3201

HIGH
CVSS:8.1(High)

The Java implementation of AMF3 deserializers used in Flamingo amf-serializer by Exadel, version 2.2.0 derives class instances from java.io.Externalizable rather than the AMF3 specification's recommen...

CWE-5022017

CVE-2017-3203

HIGH
CVSS:8.1(High)

The Java implementations of AMF3 deserializers in Pivotal/Spring Spring-flex derive class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExte...

CWE-5022017