How is CVE-2026-56057 exploited?

Network reachability (required): The vulnerable endpoint is reachable over the network; an attacker must be able to send HTTP requests to the WordPress installation to deliver the malicious payload. Authentication (not-required): No account or credentials are required; the injection can be triggered by an anonymous request. Victim interaction (not-required): No victim action such as clicking a link or opening a file is needed; the attacker interacts directly with the server. Attack complexity (info): Attack complexity is Low, meaning the exploit is reliable and requires no special conditions, race timing, or knowledge of environmental layout beyond locating the vulnerable endpoint.

What is the impact of CVE-2026-56057?

Reads arbitrary application data including WordPress database credentials, user session tokens, and any secrets stored on the filesystem accessible to the web process. Writes or overwrites arbitrary files reachable by the web server process, enabling backdoor placement or defacement of site content. Executes arbitrary operating system commands on the host if a suitable POP chain exists among the installed PHP classes, which is common in WordPress environments with many plugins. Fully compromises the integrity and availability of the WordPress installation, including the ability to create admin accounts or drop database tables.

Back to search

CRITICALCVE-2026-56057Published 2026-06-26Modified 2026-06-26CNA Patchstack

CVE-2026-56057: WordPress Uncanny Automator Pro plugin <= 7.3.0.6 - PHP Object Injection vulnerability

Q: What is CVE-2026-56057?

PHP Object Injection vulnerability in the WordPress Uncanny Automator Pro plugin (versions up to and including 7.3.0.6) allows an unauthenticated remote attacker to inject malicious serialized PHP objects through the network without any user interaction. Depending on the PHP classes available in the application (a "POP chain"), successful exploitation can result in remote code execution, arbitrary file read or write, or full data compromise. No fix version has been published yet; HarborGuard is tracking the upstream advisory and will make a patched rebuild available the moment a fix is released.

Q: Is CVE-2026-56057 patched?

Because no fix version has been published upstream, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Uncanny Owl ships a remediated release. In the interim, compensating controls such as network-policy isolation of the WordPress deployment and web application firewall rules targeting deserialization payloads are available for manual application.

Subscriber PHP Object Injection in Uncanny Automator Pro <= 7.3.0.6 versions.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

PHP Object Injection vulnerability in the WordPress Uncanny Automator Pro plugin (versions up to and including 7.3.0.6) allows an unauthenticated remote attacker to inject malicious serialized PHP objects through the network without any user interaction. Depending on the PHP classes available in the application (a "POP chain"), successful exploitation can result in remote code execution, arbitrary file read or write, or full data compromise. No fix version has been published yet; HarborGuard is tracking the upstream advisory and will make a patched rebuild available the moment a fix is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-56057 is available across every HarborGuard environment: the CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle Uncanny Automator Pro. Coverage applies to both registry scans and CI pipeline checks.

Available

Triage

Triage is available with the full CVSS v3.1 score of 9.8 (Critical) surfaced alongside per-environment compliance policy weighting, so teams working under stricter SLAs see it prioritized accordingly. Routing to the appropriate team inbox within each customer org is handled automatically based on image ownership and policy configuration.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Uncanny Owl ships a remediated release. In the interim, compensating controls such as network-policy isolation of the WordPress deployment and web application firewall rules targeting deserialization payloads are available for manual application.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is reachable over the network; an attacker must be able to send HTTP requests to the WordPress installation to deliver the malicious payload.
AuthenticationNot required
No account or credentials are required; the injection can be triggered by an anonymous request.
Victim interactionNot required
No victim action such as clicking a link or opening a file is needed; the attacker interacts directly with the server.
Attack complexityDetail
Attack complexity is Low, meaning the exploit is reliable and requires no special conditions, race timing, or knowledge of environmental layout beyond locating the vulnerable endpoint.

Blast Radius

Reads arbitrary application data including WordPress database credentials, user session tokens, and any secrets stored on the filesystem accessible to the web process.
Writes or overwrites arbitrary files reachable by the web server process, enabling backdoor placement or defacement of site content.
Executes arbitrary operating system commands on the host if a suitable POP chain exists among the installed PHP classes, which is common in WordPress environments with many plugins.
Fully compromises the integrity and availability of the WordPress installation, including the ability to create admin accounts or drop database tables.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-56057 is flagged at Critical severity (CVSS 9.8) and matched against any customer image containing Uncanny Automator Pro 7.3.0.6 or earlier as soon as the image enters a monitored registry or CI pipeline. Because no upstream fix exists at this time, HarborGuard monitors the Patchstack advisory on every ingest cycle and will trigger a patched-image rebuild automatically when a remediated version is published. For customers with auto-remediation enabled, that rebuild will be followed by a regression-test run and a PR opened against affected workloads. While awaiting the upstream fix, compensating controls available for manual application include isolating the WordPress pod or container with a restrictive network policy (blocking unexpected egress), placing a WAF rule in front of the installation to reject requests carrying serialized PHP payloads, and auditing installed plugins to reduce the POP chain surface available to an attacker.

See how HarborGuard automates this

Affected packages

Uncanny Owl / Uncanny Automator Pro
≤ 7.3.0.6

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified