A critical security vulnerability has exposed more than 50,000 WordPress websites to potential compromise due to flaws in the widely used Uncanny Automator plugin. The issue allows authenticated users with minimal access to escalate privileges to administrator level, raising serious concerns about website security and data integrity.
Vulnerability Enables Unauthorized Admin Access
The vulnerability exists due to missing authorization and capability checks in certain REST API endpoints within the plugin. These weaknesses allow logged-in users, even with low-level permissions such as subscribers, to elevate their privileges.
By exploiting this flaw, an attacker could gain administrator-level access, which provides full control over the website’s settings and functionality.
FCRF Launches Premier CISO Certification Amid Rising Demand for Cybersecurity Leadership
High Severity Rating and Exploitation Risks
The issue has been assigned CVE-2025-2075 with a CVSS severity score of 8.8, indicating a high-risk vulnerability. Security researchers confirmed that the flaw can be exploited with minimal effort, provided the attacker has a valid account on the target site.
Successful exploitation could enable attackers to install malicious plugins, redirect users to fraudulent websites, inject harmful content, or completely take over website operations. This level of access poses significant risks, particularly for sites handling sensitive user data or financial transactions.
Patch Rollout and Mitigation Measures
Following responsible disclosure, the plugin developers released patches to address the vulnerability. A partial fix was issued on March 17, 2025 (version 6.3.0.2), followed by a complete patch on April 1, 2025 with version 6.4.0.
Security provider Wordfence also deployed firewall protections for premium users shortly after the vulnerability was identified, with broader protection rolled out to free users in April 2025. Website administrators are strongly advised to update to the latest plugin version immediately to mitigate risks.
Broader Implications for WordPress Security
The incident highlights ongoing risks within the WordPress ecosystem, particularly from third-party plugins that lack robust security controls. The vulnerability underscores the importance of regular updates, proper access management, and continuous monitoring.
The researcher who reported the flaw was awarded $1,065 through a bug bounty program, reflecting industry efforts to incentivize responsible disclosure and strengthen platform security.
About the author – Ayesha Aayat is a law student and contributor covering cybercrime, online frauds, and digital safety concerns. Her writing aims to raise awareness about evolving cyber threats and legal responses.
