50,000 WordPress Sites Affected by Privilege Escalation Vulnerability in Uncanny Automator WordPress Plugin

📢 Did you know Wordfence runs a Bug Bounty Program for all WordPress plugins and themes at no cost to vendors? Researchers can earn up to $31,200 per vulnerability, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest.

On March 5th, 2025, we received a submission for an Arbitrary File Upload vulnerability in Uncanny Automator, a WordPress plugin with more than 50,000 active installations. This vulnerability can be used by authenticated attackers, with subscriber-level access and above, to grant themselves administrative privileges by updating the user role.

Props to mikemyers who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $1,065.00 for this discovery. Our mission is to secure WordPress through defense in depth, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure through the detection and prevention of vulnerabilities, which is a critical element to the multi-layered approach to security.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on March 7, 2025. Sites using the free version of Wordfence will receive the same protection 30 days later on April 6, 2025.

We contacted the Uncanny Owl team on March 11, 2025, and received a response on the same day. After providing full disclosure details, the developer released the first patch on March 17, 2025, and the second patch on April 1, 2025. We would like to commend the Uncanny Owl team for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of Uncanny Automator, version 6.4.0 at the time of this writing, as soon as possible.

Vulnerability Summary from Wordfence Intelligence

The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.3.0.2. This is due to add_role() and user_role() functions missing proper capability checks performed through the validate_rest_call() function. This makes it possible for unauthenticated attackers to set the role of arbitrary users to administrator granting full access to the site, though privilege escalation requires an active account on the site so this is considered an authenticated privilege escalation.

Technical Analysis

Examining the code reveals that the plugin uses the add_role() function in the WP_ADDROLE class to add a user role, and uses the user_role() function in the WP_USERROLE class to update the user role via the async_action REST API endpoint.

public function validate_rest_call( $request ) {

    $action = $request->get_body_params();

    if ( empty( $action['action_data']['meta']['integration'] ) || empty( $this->get_action_code( $action ) ) ) {
        return false;
    }

    return true;
}

public function add_role( $user_id, $action_data, $recipe_id, $args ) {

	$role = $action_data['meta'][ $this->action_meta ];

	$user_obj = new WP_User( (int) $user_id );
	if ( $user_obj instanceof WP_User ) {
		$user_obj->add_role( $role );

		// Hydrate the tokens with value.
		$this->hydrate_tokens(
			array(
				'USER_ROLES' => ! empty( $user_obj->roles ) ? implode( ', ', array_values( $user_obj->roles ) ) : '',
			)
		);

		Automator()->complete->user->action( $user_id, $action_data, $recipe_id );
	}
}

public function user_role( $user_id, $action_data, $recipe_id, $args ) {

	$role = $action_data['meta'][ $this->action_meta ];

	$user_obj = new WP_User( (int) $user_id );

	$user_roles = $user_obj->roles;

	if ( ! in_array( 'administrator', $user_roles, true ) ) {

		$user_obj->set_role( $role );
		// Hydrate the tokens with value.
		$this->hydrate_tokens(
			array(
				'USER_ROLES' => ! empty( $user_obj->roles ) ? implode( ', ', array_values( $user_obj->roles ) ) : '',
			)
		);

		Automator()->complete->action( $user_id, $action_data, $recipe_id );

	} else {

		$error_message = esc_attr__( 'For security, the change role action cannot be applied to administrators.', 'uncanny-automator' );

		$action_data['complete_with_errors'] = true;

		Automator()->complete->action( $user_id, $action_data, $recipe_id, $error_message );

	}
}

The most significant problem and vulnerability is caused by the fact that there are no capability checks in the REST API endpoint or validate_rest_call() function. This made it possible for unauthenticated attackers to set the role of arbitrary users to administrators. In practice, this means that attackers could escalate the role of their own subscriber user to administrator while being unauthenticated.

As with any Privilege Escalation vulnerability, this can be used for complete site compromise. Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would. This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and modify posts and pages which can be leveraged to redirect site users to other malicious sites or inject spam content.

Disclosure Timeline

March 4, 2025 – We received the submission for the Privilege Escalation vulnerability in Uncanny Automator via the Wordfence Bug Bounty Program.
March 6, 2025 – We validated the report and confirmed the proof-of-concept exploit.
March 7, 2025 – Wordfence Premium, Care, and Response users received a firewall rule to provide protection against any exploits that may target this vulnerability.
March 11, 2025 – We initiated contact via the vendor contact form, asking that they confirm the inbox for handling the discussion.
March 11, 2025 – The vendor confirmed the inbox for handling the discussion.
March 11, 2025 – We sent over the full disclosure details to the vendor. The vendor acknowledged the report and began working on a fix.
March 17, 2025 – The partially patched version of the plugin, 6.3.0.2, was released.
April 1, 2025 – The fully patched version of the plugin, 6.4.0, was released.
April 6, 2025 – Wordfence Free users will receive the same protection.

Conclusion

In this blog post, we detailed a Privilege Escalation vulnerability within the Uncanny Automator plugin affecting versions 6.3.0.2 and earlier. This vulnerability allows authenticated threat actors with subscriber-level access or higher to gain elevated privileges. The vulnerability has been addressed in version 6.4.0 of the plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of Uncanny Automator as soon as possible considering the critical nature of this vulnerability.

Wordfence users running Wordfence Premium, Wordfence Care, and Wordfence Response have been protected against these vulnerabilities as of March 7, 2025. Users using the free version of Wordfence will receive the same protection 30 days later on April 6, 2025.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

The post 50,000 WordPress Sites Affected by Privilege Escalation Vulnerability in Uncanny Automator WordPress Plugin appeared first on Wordfence.