A critical security vulnerability has been identified in the widely-used Uncanny Automator plugin, potentially compromising over 50,000 WordPress websites. This flaw enables authenticated users, even those with minimal subscriber-level access, to escalate their privileges to administrator status, posing a significant threat to website security.
Discovery and Nature of the Vulnerability
On March 5, 2025, security researcher mikemyers uncovered an Arbitrary File Upload vulnerability within the Uncanny Automator plugin. This plugin is renowned for enhancing automation and workflows on WordPress sites. The vulnerability arises from inadequate capability checks in the plugin’s codebase, specifically due to missing authorization checks for certain REST API endpoints. This oversight allows attackers with valid site accounts to exploit functions that modify user roles.
Technical Details
The core issue lies in two functions within the plugin: `add_role()` and `user_role()`. These functions manage role assignments but lack proper validation, enabling attackers with subscriber-level accounts to manipulate roles. The absence of sufficient security measures in the `validate_rest_call()` function leaves these API endpoints exposed, facilitating privilege escalation with minimal effort.
Potential Impact
Once exploited, attackers can elevate their roles to administrators, granting them unrestricted access to the site. This access allows for the installation of malicious plugins, redirection of users to fraudulent websites, and potential complete site compromise.
Vulnerability Classification
The vulnerability has been cataloged as CVE-2025-2075 and assigned a high CVSS score of 8.8 out of 10, indicating its critical nature. Wordfence Intelligence confirmed the proof-of-concept exploit and detailed the underlying technical flaws.
Response and Mitigation
Upon disclosure, the Uncanny Owl team, developers of the plugin, responded promptly:
– March 17, 2025: Released version 6.3.0.2 as a partial patch.
– April 1, 2025: Released the fully patched version 6.4.0, resolving all vulnerabilities.
Wordfence, a leading WordPress security provider, implemented protective measures for its premium users by March 7, 2025. Free Wordfence users received the same protection starting April 6, 2025.
Recommendations for Administrators
Administrators of affected websites are strongly urged to:
– Update the Uncanny Automator plugin to the latest secure version, 6.4.0, without delay.
– Regularly monitor and audit user roles and permissions.
– Implement additional security measures, such as web application firewalls (WAFs), to detect and prevent unauthorized access.
Broader Implications
This vulnerability underscores the importance of maintaining updated plugins and implementing layered security measures. The widespread use of the affected plugin, with over 50,000 active installations, makes this a significant security event for the WordPress community.
Community and Industry Response
The discovery of this flaw highlights the importance of collaboration between security researchers and plugin developers. Mikemyers, the researcher who reported the vulnerability, earned $1,065.00 through the Wordfence Bug Bounty Program, reflecting the industry’s commitment to strengthening WordPress security.
Wordfence emphasized its dedication to fostering defense in depth and continuously investing in vulnerability research. By partnering with skilled researchers, the company aims to safeguard the WordPress ecosystem through proactive measures.
Conclusion
The Uncanny Automator vulnerability serves as a stark reminder of the critical importance of regular plugin updates and vigilant security practices. Website administrators must remain proactive in monitoring and securing their sites to protect against emerging threats.
