The uncanny-automator-pro WordPress plugin before 7.3.0.6 was distributed with malicious code after the vendor's uncanny-automator-pro WordPress plugin before 7.3.0.6 update/distribution infrastructure was compromised; the injected backdoor grants unauthenticated attackers an administrator session on affected sites and beacons the site's secret keys and administrator details to attacker-controlled servers.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
CVE-2026-12375 represents a supply chain attack where the Uncanny Automator Pro WordPress plugin distribution infrastructure was compromised, resulting in malicious code injection before version 7.3.0.6. The injected backdoor enables unauthenticated attackers to establish administrator sessions on affected WordPress installations and exfiltrate sensitive data including site secret keys and administrator credentials. This vulnerability is critical (CVSS 9.8) because it affects WordPress plugin users globally, grants immediate administrative access without authentication, and creates persistent access vectors for follow-on attacks. Organizations running affected versions face complete site compromise, data theft, and potential lateral movement into connected infrastructure.
While this specific CVE lacks mapped MITRE ATT&CK techniques, Casky practitioners would leverage Claude's extended reasoning to identify the attack pattern signatures across multiple security domains. The backdoor injection maps to Supply Chain Compromise (T1195.002), Initial Access through compromised plugin distribution (T1195), and Privilege Escalation through unauthenticated admin session creation (T1548). Detection would focus on identifying suspicious authentication patterns—administrator sessions created without corresponding login events, anomalous API calls to external C2 infrastructure exfiltrating credentials (T1041: Exfiltration Over C2 Channel), and modified plugin files containing obfuscated code. Practitioners analyzing this attack through Casky's skill framework would examine WordPress authentication logs, plugin file integrity, outbound network connections from web servers, and database access patterns to isolate compromised installations before secondary exploitation occurs.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-12375. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation