CVE-2025-2075 Scanner
CVE-2025-2075 Scanner - Privilege Escalation vulnerability in Uncanny Automator
Short Info
Level
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
13 days 11 hours
Scan only one
Domain, Subdomain, IPv4
Toolbox
-
The Uncanny Automator plugin is widely used by WordPress site administrators and developers needing to automate tasks, integrate services, and create workflows. It helps users to streamline operations by connecting different plugins and services without requiring any programming skills. Users primarily comprise website owners looking for efficiency in managing their sites, reducing manual intervention, and integrating various functional components seamlessly. It aids in managing webhook interactions as well as handling backend logic through a user-friendly interface. The plugin is found useful across various sectors, including eCommerce, education, and membership sites, offering valuable features integrated into WordPress platforms. With the rising trend in automation, this plugin offers a crucial tool for those looking to enhance their site's functionality and connectivity.
The Privilege Escalation vulnerability within the Uncanny Automator plugin allows attackers to upgrade their privileges without proper authorization. This vulnerability is facilitated by functions within the plugin like add_role() and user_role(), which lack capability checks through the validate_rest_call() function. Consequently, attackers can potentially escalate their privileges by setting arbitrary user roles to administrators. Such flaws typically allow an authenticated user to exploit the failure of authorization checks to gain heightened access. In this scenario, attackers can leverage their access to implement unauthorized changes across a WordPress site, threatening the site’s integrity and operation. Understanding the role and permissions vulnerability is critical to ensure robust authorization controls are implemented at all endpoints.
The vulnerability is technically detailed through the misuse of REST API endpoints that process changes to user roles. The loophole lies within the WordPress API response checks that are not performed correctly by the Uncanny Automator plugin. Specifically, misuse arises when attacker-driven requests pass through add_role() and user_role() functions; these should verify permissions through authorization headers. Failing these checks permits unauthorized changes in role assignment, circumventing normal security measures. Attacks are instigated using API calls with manipulated data mimicking authenticated users whose roles can be altered. These requests typically generate HTTP 200 responses signifying successful privilege elevation, potentially unnoticed in standard logs.
Exploitation of this vulnerability by attackers can result in severe effects, most notably including unauthorized access to sensitive data and complete control over administrative functionalities. Malicious users might leverage escalated privileges to install malicious plugins, modify critical configurations, and access non-public content or user data. Such unauthorized administrative access could undermine the site's trustworthiness, leading to potential data breaches and service disruptions. It may also expose the site to further exploitations, including data theft, malware insertion, or website defacement. Therefore, mitigation must be immediate to safeguard users' data integrity and server functionality against unauthorized modifications.
REFERENCES
- https://www.wordfence.com/blog/2025/04/50000-wordpress-sites-affected-by-privilege-escalation-vulnerability-in-uncanny-automator-wordpress-plugin/
- https://plugins.trac.wordpress.org/changeset/3257300/uncanny-automator/trunk/src/core/classes/class-background-actions.php
- https://plugins.trac.wordpress.org/changeset/3265280/uncanny-automator/trunk/src/core/classes/class-background-actions.php
- https://nvd.nist.gov/vuln/detail/CVE-2025-2075