Uncanny Automator Plugin Allows Attackers to Access and Modify Internal Services

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.2

Uncanny Automator Plugin Allows Attackers to Access and Modify Internal Services

CVE-2026-2269

Summary

The Uncanny Automator plugin for WordPress has a security flaw that lets attackers with administrator access make unauthorized requests to internal services and potentially upload malicious files to the website's server. This can lead to unauthorized access and control of the site. Update to the latest version to fix the issue.

Original title

Original description

The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.0.0.3 via the download_url() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Additionally, the plugin stores the contents of the remote files on the server, which can be leveraged to upload arbitrary files on the affected site's server which may make remote code execution possible.

nvd CVSS3.1 7.2

Vulnerability type

CWE-434 Unrestricted File Upload

Published: 3 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026