WordPress site administrators using the popular Uncanny Automator plugin (50,000+ installations) must take immediate action to secure their websites. A high-severity privilege escalation vulnerability (CVE-2025-2075, CVSS 8.8) was recently discovered and patched, allowing attackers to gain administrative access. Here’s what you need to know.

What Happened?

On March 5, 2025, Wordfence’s Bug Bounty Program received a report from researcher mikemyers detailing a critical flaw in Uncanny Automator (versions ≤6.3.0.2). The vulnerability enabled authenticated attackers—even those with minimal “subscriber” privileges—to escalate their roles to administrator, granting full control over affected sites.

Key Risks:

• Attackers could inject malicious code, manipulate content, or hijack user data.
• No advanced hacking skills were required—exploiting this flaw was straightforward for attackers with subscriber accounts.

Technical Breakdown

The vulnerability stemmed from missing security checks in two functions:

1. add_role() and user_role() failed to verify if a user had permission to modify roles.
2. The validate_rest_call() function did not enforce proper authentication for API requests.

This oversight allowed attackers to abuse Uncanny Automator’s workflow automation features to assign themselves admin privileges. While the plugin attempted to block role changes for existing administrators, attackers could bypass this by targeting non-admin accounts.

Timeline of Detection & Resolution

• March 4, 2025: Vulnerability reported via Wordfence’s Bug Bounty Program.
• March 7, 2025: Wordfence Premium/Care/Response users received firewall rules for immediate protection.
• March 11, 2025: Uncanny Owl (plugin developer) acknowledged the issue.
• March 17 & April 1, 2025: Partial and full patches released in version 6.4.0.
• April 6, 2025: Free Wordfence users gain vulnerability protection.

The researcher earned a $1,065 bounty for their responsible disclosure, underscoring the value of Wordfence’s no-cost Bug Bounty Program for securing the WordPress ecosystem.

Is Your Site at Risk?

If your site uses Uncanny Automator, update to version 6.4.0 immediately. Follow these steps:

1. Navigate to Plugins → Installed Plugins in your WordPress dashboard.
2. Check if Uncanny Automator is running version 6.3.0.2 or earlier.
3. Click “Update Now” if an update is available.

For added protection:

• Ensure Wordfence is active (Premium users were shielded starting March 7).
• Audit user roles and remove suspicious subscriber/contributor accounts.

Why This Matters

Privilege escalation flaws are among the most dangerous vulnerabilities. Once an attacker gains admin access, they can:

• Install backdoors or malware.
• Steal sensitive data.
• Deface pages or redirect visitors to malicious sites.

The Uncanny Owl team’s swift response—releasing a patch within days—highlights the importance of collaboration between developers and security researchers.

Final Recommendations

1. Update Immediately: Delay could mean catastrophic compromise.
2. Monitor User Activity: Look for unexpected role changes or new admin accounts.
3. Layered Security: Use Wordfence or similar solutions to block exploits before patches are applied.

Share this alert with anyone using Uncanny Automator to help safeguard the WordPress community.

Stay vigilant, stay updated, and keep your site secure!

For full technical details, read the original Wordfence advisory.