Critical WordPress Plugin Vulnerability Affects Over 50,000 Websites

Post Views: 7

WordPress Plugin Vulnerability Exposes Over 50,000 Sites to Compromise

A recently discovered vulnerability in the Uncanny Automator plugin has compromised the security of more than 50,000 WordPress sites, allowing authenticated users to escalate their privileges to administrator level.

High-Severity Flaw Enables Attackers to Gain Full Control

This high-severity flaw, assigned CVE-2025-2075 with a CVSS severity score of 8.8, enables attackers to gain full control over a website’s settings and functionality. The issue arises from missing authorization and capability checks in certain REST API endpoints within the plugin.

This weakness allows logged-in users, even those with low-level permissions, to exploit the vulnerability with relative ease. According to security researchers, successful exploitation could enable attackers to install malicious plugins, redirect users to fraudulent websites, inject harmful content, or completely take over website operations.

According to security researchers, “The vulnerability poses significant risks, particularly for sites handling sensitive user data or financial transactions.”

The incident highlights the importance of regular updates, proper access management, and continuous monitoring within the WordPress ecosystem, particularly from third-party plugins that lack robust security controls.

Patches Released to Address Vulnerability

Following responsible disclosure, the plugin developers released patches to address the vulnerability. A partial fix was issued on March 17, 2025, with version 6.3.0.2, followed by a complete patch on April 1, 2025, with version 6.4.0.

Security provider Wordfence also deployed firewall protections for premium users shortly after the vulnerability was identified, with broader protection rolled out to free users in April 2025.

Action Required for Website Administrators

Website administrators are strongly advised to update to the latest plugin version immediately to mitigate risks.

The researcher who reported the flaw was awarded $1,065 through a bug bounty program, reflecting industry efforts to incentivize responsible disclosure and strengthen platform security.

“This vulnerability serves as a reminder of the ongoing risks present within the WordPress ecosystem and emphasizes the need for regular updates, proper access management, and continuous monitoring to ensure the security and integrity of websites.”

Update to the latest plugin version immediately to mitigate risks.
Regularly monitor your website for any signs of compromise.
Implement strong password policies and two-factor authentication to prevent unauthorized access.
Keep your WordPress core and all installed plugins up to date.