A critical privilege escalation vulnerability was recently discovered in the Uncanny Automator plugin used by over 50,000 WordPress websites. Identified by security researcher mikemyers, the vulnerability allows authenticated attackers to escalate privileges from subscriber-level access to administrator rights. This flaw is found in Uncanny Automator versions up to and including 6.3.0.2, where improper capability checks in the plugin’s REST API endpoint fail to validate user roles. As a result, attackers can gain full administrative control over affected sites, putting them at risk of malicious file uploads, user redirects, or content injection.
The vulnerability, assigned a high CVSS score of 8.8 by Wordfence, was validated by the company’s team after mikemyers responsibly disclosed it.
The researcher was awarded a bounty of $1,065 for identifying and reporting the issue. The flaw’s impact is significant, as an attacker with administrator privileges could cause major disruptions to website operations. Attackers could manipulate user roles and inject malicious content, leading to potential security breaches that compromise website integrity and user trust.
In response, the Uncanny Owl team released a patch on March 17, 2025, followed by a fully compliant update to version 6.4.0 on April 1, 2025.
Wordfence also took immediate action by implementing a firewall rule for premium users on March 7, 2025, to block potential exploits. Users of the free version received the protection rule on April 6, 2025, after the standard 30-day delay. The quick response underscores the importance of timely software updates and the role of the cybersecurity community in mitigating emerging threats.
This incident highlights the ongoing importance of vigilance in securing WordPress websites, particularly in widely-used plugins. The security community’s commitment to responsible vulnerability disclosure and fast patching is vital for maintaining the platform’s ecosystem security. Website owners are strongly advised to upgrade to the latest patched version to protect against this critical attack. The incident serves as a reminder of the need for continuous defense in depth against evolving cyber threats.
