CVE-2026-12375 PUBLISHED

Uncanny Automator Pro 7.3.0.5 - Backdoor via Compromised Vendor Update Server

Assigner: WPScan
Reserved: 16.06.2026 Published: 07.07.2026 Updated: 07.07.2026

The uncanny-automator-pro WordPress plugin before 7.3.0.6 was distributed with malicious code after the vendor's uncanny-automator-pro WordPress plugin before 7.3.0.6 update/distribution infrastructure was compromised; the injected backdoor grants unauthenticated attackers an administrator session on affected sites and beacons the site's secret keys and administrator details to attacker-controlled servers.

Product Status

Vendor Unknown
Product uncanny-automator-pro
Versions Default: unaffected
  • affected from 7.3.0.5 to 7.3.0.6 (excl.)

Credits

  • Mike Gozdiskowski finder
  • WPScan coordinator

References

Problem Types

  • CWE-912 Hidden Functionality CWE