CVE-2025-2075 Scanner

The Uncanny Automator plugin enables workflow automation within WordPress, allowing integrations with plugins, webhooks, and third-party services. It is widely used for streamlining actions like user management, course completion triggers, and CRM connections. The plugin is active on over 50,000 WordPress sites, making it a significant target for attackers.

Versions up to 6.3.0.2 suffer from a critical authorization flaw in the REST API endpoints utilized by the plugin. Specifically, the `add_role()` and `user_role()` functions lack proper authorization checks via `validate_rest_call()`, making it possible for authenticated users (even subscribers) to escalate their privileges to `administrator`. This makes the vulnerability exploitable under minimal conditions and can lead to complete site takeover.

The exploitation chain begins with a valid login from a low-privilege user, followed by enumeration of their own user ID from `profile.php`. A POST request to the vulnerable `/wp-json/uap/v2/async_action/` endpoint with the `USERROLE` action and role set to `administrator` results in privilege escalation. A final verification step confirms the attacker now appears as an administrator in the user list.

This vulnerability represents a high security risk in shared or poorly maintained environments where untrusted users have login access. It underscores the importance of securing REST API endpoints with proper capabilities and upgrading plugins promptly.

REFERENCES

• https://www.wordfence.com/blog/2025/04/50000-wordpress-sites-affected-by-privilege-escalation-vulnerability-in-uncanny-automator-wordpress-plugin/
• https://plugins.trac.wordpress.org/changeset/3257300/uncanny-automator/trunk/src/core/classes/class-background-actions.php
• https://plugins.trac.wordpress.org/changeset/3265280/uncanny-automator/trunk/src/core/classes/class-background-actions.php
• https://nvd.nist.gov/vuln/detail/CVE-2025-2075