Arbitrary File Deletion Vulnerability in Uncanny Automator Plugin for WordPress
CVE-2026-15008
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 16 July 2026
What is CVE-2026-15008?
The Uncanny Automator plugin for WordPress contains an arbitrary file deletion vulnerability caused by inadequate file path validation in the fr_token function. This flaw impacts all versions through 7.3.1.4. Attackers without authentication can exploit this issue to delete arbitrary files from the server, potentially leading to severe consequences such as remote code execution when critical files like wp-config.php are targeted. Exploitation requires a Forminator form linked to an Uncanny Automator recipe configured for open access, allowing malicious serialized payloads to be submitted via unauthenticated forms. The threat is exacerbated by the presence of a gadget chain within the plugin, enabling effective manipulation without needing an external gadget library.
Affected Version(s)
Uncanny Automator β Easy Automation, Integration, Webhooks & Workflow Builder Plugin 0 <= 7.3.1.4