On April 26th, 2024, we received a submission for an authenticated PHP Object Injection vulnerability in Uncanny Automator, a WordPress plugin with more than 50,000 active installations. This vulnerability can be leveraged via an existing POP chain present in the plugin to delete arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution by authenticated subscriber-level attackers possible.
The post 50,000 WordPress Sites Affected by PHP Object Injection Vulnerability in Uncanny Automator WordPress Plugin appeared first on Wordfence.
This article has been indexed from Blog – Wordfence