CVE-2025-2075: 
WordPress vulnerability analysis and mitigation

The Uncanny Automator WordPress plugin (versions up to 6.3.0.2) contains a Privilege Escalation vulnerability identified as CVE-2025-2075. The vulnerability stems from improper capability checks in the addrole() and userrole() functions through the validaterestcall() function. This security flaw was discovered and reported by Wordfence, with an initial disclosure date of April 4, 2025 (NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The flaw is categorized under CWE-862 (Missing Authorization). The issue specifically relates to missing proper capability checks in the validaterestcall() function, which is responsible for validating REST API calls in the plugin (NVD).

When successfully exploited, this vulnerability allows attackers with an active account on the site to set the role of arbitrary users to administrator, effectively granting them full access to the site. While the attack requires an authenticated user account, the potential impact is severe as it can lead to complete site compromise (NVD).

The vulnerability has been addressed through security patches as evidenced in the WordPress plugin repository (WordPress Plugin, WordPress Update). Users are strongly advised to update their Uncanny Automator plugin to a version newer than 6.3.0.2 to protect against this vulnerability.