A critical arbitrary file deletion vulnerability, CVE-2026-15008, exists in The Uncanny Automator plugin for WordPress, versions up to and including 7.3.1.4, due to insufficient file path validation in the `fr_token` function, allowing unauthenticated attackers to delete arbitrary files on the server and potentially achieve remote code execution (RCE) by targeting critical files like `wp-config.php`, provided a Forminator form is linked to an 'Everyone' configured Uncanny Automator recipe, enabling the submission of a malicious serialized payload that leverages a gadget chain within the plugin's `Action_Helpers_Email __destruct()` method.
Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin
wordpress
vulnerability
arbitrary-file-deletion
deserialization
2t
1c