CVE-2025-2075: Uncanny Automator <= 6.3.0.2 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation
First published: Fri Apr 04 2025(Updated: )
The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.3.0.2. This is due to add_role() and user_role() functions missing proper capability checks performed through the validate_rest_call() function. This makes it possible for unauthenticated attackers to set the role of arbitrary users to administrator granting full access to the site, though privilege escalation requires an active account on the site so this is considered an authenticated privilege escalation.
Credit: security@wordfence.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Uncanny Automator | <=6.3.0.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.wordfence.com/threat-intel/vulnerabilities/id/86b4b0d6-bda2-47f3-a0b5-9733cb7a11f6?source=cve
- https://plugins.trac.wordpress.org/changeset/3257300/uncanny-automator/trunk/src/core/classes/class-background-actions.php
- https://plugins.trac.wordpress.org/changeset/3265280/uncanny-automator/trunk/src/core/classes/class-background-actions.php
Frequently Asked Questions
What is the severity of CVE-2025-2075?
CVE-2025-2075 has a high severity rating due to its potential for privilege escalation.
How do I fix CVE-2025-2075?
To fix CVE-2025-2075, update the Uncanny Automator plugin to version 6.3.0.3 or later.
What versions are affected by CVE-2025-2075?
CVE-2025-2075 affects all versions of the Uncanny Automator plugin up to and including 6.3.0.2.
What type of vulnerability is CVE-2025-2075?
CVE-2025-2075 is a privilege escalation vulnerability that allows unauthorized users to gain elevated permissions.
Who is impacted by CVE-2025-2075?
Users of the Uncanny Automator plugin for WordPress are impacted by CVE-2025-2075 if they are running an affected version.
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/weakness
- agent/title
- agent/type
- agent/description
- agent/first-publish-date
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- agent/severity
- agent/author
- agent/source
- agent/tags
- agent/event
- vendor/uncanny automator
- canonical/uncanny automator