CVE-2025-48133: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability (CVE-2025-48133) was discovered in Uncanny Owl's Uncanny Automator WordPress plugin, affecting versions through 6.4.0.2. The vulnerability was disclosed on June 5, 2025, and involves incorrectly configured access control security levels (Wiz Security, Patchstack).

The vulnerability is classified as a Broken Access Control issue with a CVSS v3.1 Base Score of 6.5 (Medium). The attack vector is Network-based (AV:N), with Low attack complexity (AC:L), requiring No privileges (PR:N) and No user interaction (UI:N). The scope is Unchanged (S:U), with No impact on confidentiality (C:N) but Low impact on both integrity (I:L) and availability (A:L) (Wiz Security).

The vulnerability allows unprivileged users to execute certain higher privileged actions due to missing authorization, authentication, or nonce token checks. This broken access control issue could potentially lead to unauthorized access to privileged functions within the WordPress plugin (Patchstack).

Users are advised to update to Uncanny Automator version 6.5.0 or later, which contains the fix for this vulnerability. For temporary mitigation, Patchstack has issued a virtual patch to block potential attacks until the update can be applied (Patchstack).