EXECUTIVE SUMMARY:
A critical vulnerability in the Uncanny Automator WordPress plugin, identified as CVE-2025-2075 with a CVSS score of 8.8, allows authenticated users with subscriber-level access to escalate privileges to administrator, putting over 50,000 websites at risk of full compromise. The flaw stems from missing capability checks in the plugin’s REST API endpoint, which permitted attackers to alter user roles without proper validation. Discovered through the Wordfence Bug Bounty Program, this oversight could enable attackers to gain control of affected sites, install malicious content, and redirect traffic, prompting an urgent recommendation for all users to upgrade to latest version.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A critical vulnerability in the Uncanny Automator WordPress plugin, identified as CVE-2025-2075 with a CVSS score of 8.8, allows authenticated users with subscriber-level access to escalate privileges to administrator, putting over 50,000 websites at risk of full compromise. The flaw stems from missing capability checks in the plugin’s REST API endpoint, which permitted attackers to alter user roles without proper validation. Discovered through the Wordfence Bug Bounty Program, this oversight could enable attackers to gain control of affected sites, install malicious content, and redirect traffic, prompting an urgent recommendation for all users to upgrade to latest version.[emaillocker id="1283"]
RECOMMENDATION:
We strongly recommend you update Uncanny Automator WordPress plugin to version 6.4.0.
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/50k-wordpress-sites-exposed-admin-takeover-via-uncanny-automator/
[/emaillocker]