External risk intelligence

Uncanny Automator Pro WordPress Plugin Backdoor Leads to Administrator Session Takeover

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-12375

This vulnerability affects a WordPress plugin. WordPress sites are web applications typically deployed as public-facing internet services. Consequently, the plugin's functionality and its associated attack surface are commonly reachable via the public internet.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A compromise in the distribution infrastructure for the uncanny-automator-pro WordPress plugin allowed malicious code to be injected, creating a backdoor that grants unauthorized access. This vulnerability could allow unauthenticated attackers to obtain administrator sessions and exfiltrate sensitive site information.

  • Malicious code in plugin grants admin access.
  • Unauthenticated attackers can steal site secrets.
  • Confirm relevance and verify exposure of the plugin.

Attack Path

How an attacker could exploit the issue

The vendor's distribution infrastructure was compromised, allowing attackers to distribute a malicious version of the plugin. This backdoor grants unauthenticated attackers administrator access, enabling them to steal sensitive site information.

  • No authentication required for access.
  • Malicious plugin download.
  • Complete site control.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could expose sensitive site administration data and grant unauthorized access to WordPress sites. When the plugin's distribution infrastructure is compromised, a backdoor may be introduced that allows unauthenticated attackers to establish an administrator session. This could then lead to the exfiltration of site secret keys and administrator credentials to attacker-controlled servers.

  • Site secret keys and administrator credentials.
  • Malicious code injected via compromised distribution.
  • Unauthorized administrative access and data exfiltration.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability in the uncanny-automator-pro WordPress plugin requires immediate attention from teams managing WordPress instances and their plugins. The first practical move is to identify all instances of the affected plugin, confirm their online exposure and business criticality, and then determine the accountable owner for remediation. This will inform the subsequent planning for mitigation, which may involve coordinating with the vendor or implementing temporary risk-reduction measures.

  • Own: Site owners, WordPress administrators, or platform teams.
  • Verify: Plugin presence and site accessibility.
  • Act: Plan remediation based on exposure and criticality.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the uncanny-automator-pro WordPress plugin?

Uncanny Automator Pro is a specialized WordPress plugin designed to automate workflows and connect various tools and plugins within a site. It acts as an integration engine, allowing site owners to trigger automated actions across their WordPress ecosystem without needing custom code. It is widely used by developers and site managers to streamline administrative tasks and manage data flows between different software components installed on a WordPress platform.

Why is CVE-2026-12375 considered a critical security threat?

This vulnerability involves a supply chain compromise where the plugin's distribution infrastructure was breached. Malicious code injected into the software creates a backdoor, allowing unauthenticated attackers to hijack administrator sessions. Because it grants full control over the site and exfiltrates secret keys and credentials, it is classified as a severe risk that bypasses standard login security.

How do attackers trigger this backdoor?

Attackers leverage the malicious code embedded within compromised versions of the plugin. Because the backdoor is built directly into the plugin itself, it does not require any specific user action or complex exploit chain to activate. If an affected version is installed, the vulnerability is active by default. It is not triggered by specific user behavior, but rather by the mere presence of the tampered software on your WordPress site.

Is my site at risk if I use this plugin?

According to Halo Surface Signal, this plugin is typically used in web applications that are public-facing, meaning the attack surface is generally accessible via the internet. If you are running an instance of this plugin, your site is likely reachable by remote, unauthenticated attackers. You should assess the internet accessibility of your WordPress installation to determine how easily an attacker could interact with the affected software.

Do I need to check my WordPress site for this plugin?

Yes, your first step is to conduct an inventory to identify if this plugin is installed on any of your WordPress instances. Once you confirm its presence, verify how that site is exposed to the network. Coordinate with your site administrators to determine the next steps for remediation, such as updating to a clean version once available or temporarily disabling the plugin to mitigate the risk of unauthorized administrative access.

References