{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/uncanny-automator--easy-automation-integration-webhooks--workflow-builder-plugin--7.3.1.4/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-15008"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Uncanny Automator – Easy Automation, Integration, Webhooks \u0026 Workflow Builder Plugin (\u003c= 7.3.1.4)"],"_cs_severities":["high"],"_cs_tags":["wordpress","vulnerability","arbitrary-file-deletion","deserialization"],"_cs_type":"advisory","_cs_vendors":["The Uncanny Automator"],"content_html":"\u003cp\u003eA significant arbitrary file deletion vulnerability, identified as CVE-2026-15008, affects The Uncanny Automator plugin for WordPress, specifically in all versions up to and including 7.3.1.4. This flaw stems from insufficient file path validation within the \u003ccode\u003efr_token\u003c/code\u003e function, enabling unauthenticated attackers to delete arbitrary files on the vulnerable server. The exploitation pathway for this vulnerability requires a WordPress site running the affected Uncanny Automator plugin that also has a Forminator form connected to an Uncanny Automator recipe configured for 'Everyone'. This specific configuration allows for unauthenticated form submissions, which attackers can then leverage to supply a malicious serialized payload. The plugin itself contains a gadget chain via the \u003ccode\u003eAction_Helpers_Email __destruct()\u003c/code\u003e method, eliminating the need for external gadget libraries and simplifying exploitation. Successful exploitation can lead to severe consequences, including remote code execution, particularly if crucial system files like \u003ccode\u003ewp-config.php\u003c/code\u003e are targeted and deleted.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance and Configuration Identification\u003c/strong\u003e: An unauthenticated attacker identifies a WordPress site running The Uncanny Automator plugin (version 7.3.1.4 or earlier) and determines if a Forminator form is integrated with an Uncanny Automator recipe configured for 'Everyone' (allowing public submissions).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Payload Crafting\u003c/strong\u003e: The attacker crafts a PHP serialized payload designed to trigger the arbitrary file deletion vulnerability by leveraging the gadget chain available in the plugin's \u003ccode\u003eAction_Helpers_Email __destruct()\u003c/code\u003e method and targeting the \u003ccode\u003efr_token\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePayload Delivery\u003c/strong\u003e: The attacker submits the crafted malicious serialized payload via an unauthenticated POST request to the publicly accessible Forminator form endpoint.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eApplication Processing\u003c/strong\u003e: The WordPress application, specifically the Uncanny Automator plugin, receives and processes the Forminator submission, which includes the malicious serialized payload.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeserialization and Gadget Chain Execution\u003c/strong\u003e: During the processing, the application deserializes the payload, triggering the \u003ccode\u003eAction_Helpers_Email __destruct()\u003c/code\u003e method, which in turn exploits the insufficient file path validation in the \u003ccode\u003efr_token\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eArbitrary File Deletion\u003c/strong\u003e: The vulnerability allows the attacker to delete an arbitrary file on the server. For instance, the attacker could specify \u003ccode\u003ewp-config.php\u003c/code\u003e for deletion.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact (WordPress Reinstallation)\u003c/strong\u003e: If \u003ccode\u003ewp-config.php\u003c/code\u003e is deleted, accessing the WordPress site again will trigger the WordPress installation wizard, as the configuration file is missing.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePotential Remote Code Execution\u003c/strong\u003e: By exploiting the reinstallation process or other means after deleting critical files, the attacker can potentially achieve remote code execution on the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe arbitrary file deletion vulnerability (CVE-2026-15008) in The Uncanny Automator plugin poses a critical risk to affected WordPress installations. Unauthenticated attackers can leverage this flaw to delete any file on the server, leading to severe system compromise. The most significant consequence is the deletion of critical files like \u003ccode\u003ewp-config.php\u003c/code\u003e, which can lead to a full WordPress reinstallation. This reinstallation process could then be abused by an attacker to inject malicious code or configurations, effectively leading to remote code execution and full control over the compromised server. The lack of authentication required for exploitation broadens the attack surface significantly, making any WordPress site with the vulnerable plugin and the specified configuration a potential target.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-15008 immediately by updating The Uncanny Automator - Easy Automation, Integration, Webhooks \u0026amp; Workflow Builder Plugin to a version greater than 7.3.1.4.\u003c/li\u003e\n\u003cli\u003eReview your Uncanny Automator recipes connected to Forminator forms to ensure that sensitive operations are not configured for 'Everyone' access without proper authentication.\u003c/li\u003e\n\u003cli\u003eMonitor web server access logs for unusual POST requests to Forminator submission endpoints, especially those containing serialized payload patterns or resulting in unexpected application behavior (e.g., redirection to \u003ccode\u003e/wp-admin/setup-config.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy file integrity monitoring (FIM) solutions to detect unauthorized modifications or deletions of critical WordPress files, such as \u003ccode\u003ewp-config.php\u003c/code\u003e and core installation files.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-16T09:19:10Z","date_published":"2026-07-16T09:19:10Z","id":"https://feed.craftedsignal.io/briefs/2026-07-uncanny-automator-file-deletion/","summary":"A critical arbitrary file deletion vulnerability, CVE-2026-15008, exists in The Uncanny Automator plugin for WordPress, versions up to and including 7.3.1.4, due to insufficient file path validation in the `fr_token` function, allowing unauthenticated attackers to delete arbitrary files on the server and potentially achieve remote code execution (RCE) by targeting critical files like `wp-config.php`, provided a Forminator form is linked to an 'Everyone' configured Uncanny Automator recipe, enabling the submission of a malicious serialized payload that leverages a gadget chain within the plugin's `Action_Helpers_Email __destruct()` method.","title":"Uncanny Automator WordPress Plugin Vulnerable to Arbitrary File Deletion (CVE-2026-15008)","url":"https://feed.craftedsignal.io/briefs/2026-07-uncanny-automator-file-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed - Uncanny Automator – Easy Automation, Integration, Webhooks \u0026 Workflow Builder Plugin (\u003c= 7.3.1.4)","version":"https://jsonfeed.org/version/1.1"}