Security Bulletin for 7 July 2026: Supply-Chain Backdoor in Uncanny Automator Pro, Code Execution in WPFunnels, File Deletion in Frontend File Manager and File Write in AMP for WP
7 July 2026 · jproxx Security
This is our daily security roundup, in which we review the published vulnerabilities and pick out those that genuinely matter for operating WordPress websites, online shops and PHP applications. Every statement in this bulletin has been checked against its underlying primary source, which is linked at the end of each section. 7 July 2026 stands out clearly: at its centre is a supply-chain attack on a widely used automation plugin, accompanied by three further serious flaws — two of which have no fix available yet.
CVE-2026-12375 — Supply-Chain Backdoor in Uncanny Automator Pro (critical)
The vendor of the automation plugin Uncanny Automator has disclosed a security incident: around
12 June 2026, attackers used a flaw in third-party software to gain access to the vendor’s
update-distribution infrastructure and replaced the served update package of the paid Pro
variant with a tampered, backdoored build. Affected is exclusively the Pro build labelled
version 7.3.0.5 — not an official release, since the changelog jumps from 7.3.0.4 to 7.3.0.6.
The tampered build was distributed only during a window of roughly 21 hours; the free base
version was not affected. The injected backdoor accepts an unauthenticated HTTP request carrying
the _wplogin parameter and grants an administrator session through it, additionally creates
hidden administrator accounts and scheduled tasks, and transmits the site’s secret keys and
administrator details to attacker servers. The National Vulnerability Database assigns a CVSS
score of 9.8, classifying the incident as critical; the appropriate weakness class is CWE-506
(embedded malicious code). The distribution is clean again as of version 7.3.0.6. Important:
because this is live malware, a plain uninstall-and-reinstall is not sufficient — anyone who
deployed the 7.3.0.5 build must assume compromise and carry out a full clean-up of the system
(checking for rogue administrator accounts and scheduled tasks, rotating all secret keys and
passwords). In parallel, the vendor’s licensing database was stolen, containing names, email
addresses, license keys and site URLs (passwords were stored only hashed, no payment data was
affected); affected customers should expect targeted phishing attempts.
Sources: National Vulnerability Database — CVE-2026-12375 · Uncanny Automator — security incident notice
CVE-2026-14345 — Unauthenticated Code Execution in WPFunnels (critical)
The WPFunnels funnel builder for WooCommerce contains a login-free code execution flaw through
log-file poisoning in all versions up to and including 3.12.7. Input passed via the postData
parameter to a publicly reachable optin endpoint is written without sanitization into a .log
file whose path can be included by PHP; the security token belonging to the endpoint is visible in
the markup of every funnel page, so the injection requires no login. The log file’s later display
routine includes it via include_once and thereby executes any PHP stored within it. Once logging
is enabled and an administrator opens the log view, the injected code runs on the server, leading
to full takeover of the site. The National Vulnerability Database assigns a CVSS score of 9.8,
classifies the flaw as critical and assigns it to weakness class CWE-434. The vulnerability is
fixed in version 3.12.8, to which operators should update without delay.
Sources: National Vulnerability Database — CVE-2026-14345 · CVE Record — CVE-2026-14345
CVE-2026-12277 — Unauthenticated File Deletion in Frontend File Manager (high)
The Frontend File Manager plugin contains a path traversal flaw exploitable without a login in all
versions up to and including 23.6, provided the guest or frontend upload mode is enabled. The
deletion routine derives the target path from a user-controlled value (a saved file-metadata path)
and deletes the file without constraining the path to the intended upload directory. An attacker
can thereby point the deletion at arbitrary files outside the upload folder — including the central
configuration file wp-config.php. Removing it returns WordPress to its fresh-install routine,
which an attacker can redirect to their own database and so take over the installation; deleting
further core or content files additionally causes outage and data loss. The National Vulnerability
Database assigns a CVSS score of 8.7, classifies the flaw as high and assigns it to weakness class
CWE-22 (improper limitation of a pathname). At the time of writing no corrected version is listed;
operators should disable the guest/frontend upload mode and, while no fix is available, take the
plugin out of service.
Sources: National Vulnerability Database — CVE-2026-12277 · WPScan — Frontend File Manager Plugin
CVE-2026-6101 — File Write via Unsafe ZIP Extraction in AMP for WP (high)
The widely deployed AMP for WP – Accelerated Mobile Pages plugin, in use on more than 100,000 websites, contains a flaw in the extraction of uploaded ZIP archives in all versions up to and including 1.1.12. The local-font upload function extracts an archive without validating the contained file paths and does not reliably remove nested directories during cleanup — allowing files to be placed at attacker-chosen, web-accessible paths. An authenticated user from the “Author” role upward can thereby write arbitrary files to the server; on servers that execute PHP within the uploads directory this can be escalated to remote code execution and thus full control of the site. The National Vulnerability Database assigns a CVSS score of 7.5, classifies the flaw as high and assigns it to weakness class CWE-73 (external control of a file name or path); the high attack complexity reflects the conditions that must be met for a reliable write. At the time of writing no corrected version is listed; operators should strictly limit the assignment of Author privileges and follow the vendor’s notices.
Sources: National Vulnerability Database — CVE-2026-6101
Not sure whether you’re affected? Get in touch.
This advisory is provided for security awareness. The official notices from the respective vendor and the sources linked above always take precedence.