CVE-2026-15008
Received Received - Intake

Arbitrary File Deletion in Uncanny Automator WordPress Plugin

Vulnerability report for CVE-2026-15008, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: Wordfence

Description

The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the fr_token function in all versions up to, and including, 7.3.1.4. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Exploitation requires a Forminator form connected to an Uncanny Automator recipe configured for 'Everyone', allowing unauthenticated form submissions to supply the malicious serialized payload; a gadget chain is present within the plugin via the Action_Helpers_Email __destruct() method, meaning no external gadget library is required.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
uncanny_automator easy_automation_integration_webhooks_and_workflow_builder_plugin to 7.3.1.4 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is in the Uncanny Automator WordPress plugin. It allows unauthenticated attackers to delete arbitrary files on the server due to insufficient file path validation in the fr_token function. This can lead to remote code execution if critical files like wp-config.php are deleted. Exploitation requires a Forminator form linked to an Uncanny Automator recipe set to 'Everyone'.

Detection Guidance

Check for unauthorized file deletions or suspicious activity in WordPress directories. Review logs for Forminator form submissions connected to Uncanny Automator recipes. Look for unexpected changes in wp-config.php or other critical files.

Impact Analysis

An attacker could delete important files on your WordPress server, potentially causing site crashes or allowing them to take control of your website. If they delete wp-config.php, they might gain full access to your site and database.

Compliance Impact

This vulnerability could lead to unauthorized access or data breaches, violating GDPR or HIPAA requirements for data protection and security. Organizations may face legal penalties or compliance violations if exploited.

Mitigation Strategies

Update the Uncanny Automator plugin to the latest version. Disable Forminator forms connected to Uncanny Automator recipes if not needed. Implement file integrity monitoring to detect unauthorized changes. Restrict file deletion permissions where possible.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15008. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart