A critical security vulnerability in the Uncanny Automator WordPress plugin, used by over 1 million websites worldwide, has left more than 50,000 sites dangerously exposed to complete administrator takeover by any authenticated user with minimal privileges. Tracked as CVE-2025-2075 with a CVSS score of 8.8 (High), the flaw stems from missing authorisation checks and capability validation in the plugin’s custom REST API endpoints, allowing subscribers or other low-level users to escalate privileges and gain full control.
Security researchers at Wordfence confirmed the vulnerability enables attackers to bypass WordPress’s robust role-based access controls through carefully crafted API requests. Once exploited, malicious users can install plugins, modify themes, redirect visitors to phishing sites, inject malware or exfiltrate sensitive data from databases—a catastrophic outcome for e-commerce platforms, membership sites and corporate blogs.
Anatomy of the Privilege Escalation Attack
Uncanny Automator powers no-code workflow automation across 500+ WordPress plugins and services, creating complex trigger-action chains for marketing, e-commerce and content management. The vulnerability resides in custom REST API endpoints handling automation triggers and actions, which failed to implement WordPress nonces (security tokens) and capability checks.
An attacker with any valid login—obtained via phishing, brute force or social engineering—sends POST requests to unprotected endpoints, overriding user roles to gain administrator privileges. The attack requires no special plugins or server access, making it accessible to script kiddies while devastating for site owners.
Patch Timeline and Rapid Response
The vulnerability came to light through responsible disclosure by researcher @SolidSERP, who earned a $1,065 bug bounty. Plugin developers responded swiftly:
- March 17, 2025: Partial fix in v6.3.0.2
- April 1, 2025: Complete remediation in v6.4.0
Wordfence deployed Premium firewall rules immediately upon discovery, blocking exploits proactively. Free users received protection during April rollout. At peak exposure, 50,000+ sites remained vulnerable across small businesses, bloggers and enterprises.
The No-Code Security Paradox
Uncanny Automator’s popularity stems from democratising complex automation—triggering emails on form submissions, syncing CRM data, managing memberships—all without coding. This power creates expanded attack surface: compromised automations could chain across mail servers (Sendinblue), payment gateways (Stripe), CRMs (HubSpot) and analytics (Google Analytics).
The incident underscores WordPress ecosystem realities:
- 43% of sites run outdated core/plugins (WPScan)
- 95% of breaches trace to third-party extensions
- Automation plugins amplify compromise scope
Immediate Action Required
Site administrators must prioritise:
- Update to Uncanny Automator 6.4.0+ immediately
- Audit all user accounts—remove/disable low-privilege users
- Deploy Wordfence, Patchstack or Sucuri for real-time protection
- Review plugin permissions and endpoint access
- Enable 2FA on all admin accounts
Broader Implications for WordPress Security
As no-code platforms proliferate, security demands shift from code review to runtime protection. Plugin developers must implement zero-trust API design—nonce validation, capability checks, rate limiting—as table stakes. WordPress’s 43% global market share makes plugin hygiene a national cybersecurity priority.
The Uncanny Automator breach reinforces familiar lessons with fresh urgency: patching remains non-negotiable, least privilege is mandatory, and plugin ecosystems demand continuous scrutiny. For 50,000+ site owners, the cost of inaction could be total operational compromise.
