Wordfence released its 2024 WordPress security report and highlighted a PHP Object Injection vulnerability in Uncanny Automator (versions ≤ 6.4.0.1), allowing authenticated users to delete arbitrary files, including wp-config.php. Discovered by researcher mikemyers, it earned a $1,021 bounty. A patch (version 6.4.0.2) was released on April 18, 2025, impacting over 50,000 installations. Wordfence Premium users received protection on April 22, 2025, with free users getting it 30 days later. Users are urged to update to the latest version due to this critical vulnerability.
50,000 WordPress Sites Affected by PHP Object Injection Vulnerability in Uncanny Automator WordPress Plugin
