Cory Marsh has over 20 years Internet security experience. He is a lead developer on the BitFire project and regularly releases PHP security and programming videos on BitFire's you tube channel.
In an age where automation is driving efficiency across WordPress deployments, security must evolve at the same pace. The Uncanny Automator plugin, widely adopted for its no-code workflow and integration capabilities, was found to contain a severe PHP object injection vulnerability. This issue, rooted in unsafe deserialization practices, presents significant risk to websites using versions up to and including 6.4.0.1. Fortunately, advanced defenses like BitFire's runtime protection and WAF make it possible to stop these exploits before they cause damage.
"Uncanny Automator helps WordPress site owners build powerful automations that connect plugins, third-party services, and custom workflows without writing code. Common uses include email automation, webhook integrations, and user onboarding flows."
Connect over 100 plugins and services with no code
Create automation recipes triggered by user actions or webhooks
Supports tokens, delays, filters, and conditional logic
Includes support for REST API and incoming requests
Uncanny Automator is the easiest and most powerful way to automate your WordPress site with no code.
BitFire's 0-day protection of CVE-CVE-2025-3623 vulnerability
The Gory Details
The vulnerability resides in the `automator_api_decode_message` function of the Uncanny Automator plugin. In versions up to 6.4.0.1, this function processes incoming POST data without adequately validating or restricting the deserialization process. As a result, unauthenticated users can send crafted payloads that instantiate arbitrary PHP objects on the server. When a POP (property-oriented programming) chain is present in the environment, this can escalate to arbitrary file deletion or other harmful outcomes.
Mitigating the Risk
The plugin maintainers resolved this issue in version 6.4.0.2 by removing direct deserialization of untrusted input. Website administrators should update immediately and audit their servers for unexpected file deletions or signs of tampering. Additionally, external access to deserialization endpoints should be monitored or limited wherever possible.
Why BitFire?
BitFire's Web Application Firewall is specifically trained to detect and block common object injection patterns, including deserialization payloads targeting known POP chains. Even if such a request reaches the server, BitFire's RASP module prevents runtime access to file deletion and modification functions unless explicitly permitted. This layered approach ensures that both detection and prevention happen in real-time, before damage can occur.
The Bottom Line
Deserialization vulnerabilities represent a persistent threat in dynamic plugin ecosystems like WordPress. Left unchecked, they can result in irreversible data loss and complete site compromise. BitFire offers comprehensive protection by combining behavioral traffic analysis with code-level hardening—making sure your automation tools work for you, not for attackers.
