CVE-2025-4520: 
WordPress vulnerability analysis and mitigation

The Uncanny Automator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple AJAX functions in versions up to, and including, 6.4.0.2. This vulnerability (CVE-2025-4520) was discovered on May 13, 2025, and allows authenticated attackers with subscriber-level permissions or above to update plugin settings (NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 5.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L. The vulnerability is classified as CWE-862 (Missing Authorization) and stems from insufficient authorization checks in the plugin's AJAX functions (NVD, Wordfence).

The vulnerability allows authenticated users with subscriber-level access or higher to modify plugin settings, potentially leading to unauthorized changes in the plugin's configuration. This could affect the integrity and availability of automated workflows managed by the plugin (NVD).

Users should update their Uncanny Automator plugin to a version newer than 6.4.0.2 once available. Until then, it is recommended to review and restrict user roles with access to the plugin (NVD).