A vulnerability has surfaced in the popular WordPress plugin, Uncanny Automator, leaving over 50,000 websites potentially exposed to complete compromise. Tracked as CVE-2025-2075, this critical flaw, with a CVSS score of 8.8, allows authenticated attackers, even those with mere subscriber-level access, to elevate their privileges to administrator. This means, in essence, they can seize complete control of your site.
The discovery, made by the researcher mikemyers through the Wordfence Bug Bounty Program (earning a well-deserved $1,065.00), highlights a significant oversight within the plugin’s code. According to Wordfence, “The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.3.0.2.”
At the root of the issue lies a critical lack of capability checks within the plugin’s REST API endpoint. Wordfence’s technical analysis reveals that the add_role() and user_role() functions, used to manage user roles, were missing vital security validation. As Wordfence explains, “The most significant problem and vulnerability is caused by the fact that there are no capability checks in the REST API endpoint or validate_rest_call() function.”
This oversight allowed attackers to manipulate user roles without proper authorization. In practical terms, an attacker with a basic subscriber account could exploit this vulnerability to grant themselves administrative privileges. “In practice, this means that attackers could escalate the role of their own subscriber user to administrator while being unauthenticated,” the Wordfence report elaborates.
Once an attacker gains administrative access, they can wreak havoc on a compromised site. “As with any Privilege Escalation vulnerability, this can be used for complete site compromise,” Wordfence warns. Attackers can upload malicious plugins and themes, modify content, and even redirect users to harmful websites.
Wordfence strongly urges all Uncanny Automator users to update to the patched version, 6.4.0, immediately.
