CVE-2025-4520
Uncanny Automator <= 6.4.0.2 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings UpdateThe Uncanny Automator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple AJAX functions in versions up to, and including, 6.4.0.2. This makes it possible for authenticated attackers, with subscriber-level permissions or above to update plugin settings.
We have discovered 234 live websites that are affected by CVE-2025-4520.
Affected Software
| Product |  Uncanny Automator |
| Category | Wordpress Plugins |
| Vulnerable Domains | 234 live websites (103.54% of Uncanny Automator install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 34 versions ( 94.44% of all versions) |
Common Weakness Enumeration
CWE-862 Missing AuthorizationDetails
- Published - May 14, 2025
- Updated - May 14, 2025
Credits
- Michael Mazzolini (finder)
CWE
CVE References
CWE References
CVE-2025-4520 usage by Country
 United States | 125 websites |
 Germany | 27 websites |
 GB | 7 websites |
 Cyprus | 5 websites |
 France | 5 websites |
 Denmark | 4 websites |
 Australia | 4 websites |
 South Africa | 4 websites |
 Spain | 4 websites |
CVE-2025-4520 usage by TLD
| .com | 106 websites |
| .org | 19 websites |
| .co.uk | 10 websites |
| .net | 8 websites |
| .ca | 6 websites |
| .com.au | 5 websites |
| .es | 4 websites |
| .fr | 3 websites |
| .de | 3 websites |
| .com.br | 3 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-4520
Top websites that are affected by CVE-2025-4520. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ***************.*************.gov | United States | *,***,*** | |
| *******.******.org | United States | *,***,*** | |
| **********.******.org | United States | *,***,*** | |
| ***************.nl | United States | *,***,*** | |
| *****.**.gov | United States | *,***,*** | |
| *************************.nl | United States | *,***,*** | |
| ***************.***.au | United States | *,***,*** | |
| **********.ch | United States | *,***,*** | |
| *************.ch | United States | *,***,*** | |
| *************.******.org | United States | *,***,*** | |
| *********.******.org | United States | *,***,*** | |
| *********.li |  Liechtenstein | *,***,*** | |
| ********.*************.gov | United States | *,***,*** | |
| ******.***.ar | United States | *,***,*** | |
| *************.****************.com | United States | *,***,*** | |
| *********.swiss | United States | *,***,*** | |
| ******.ua | United States | *,***,*** | |
| **************.***.au | Australia | *,***,*** | |
| **************.***.au | United States | **,***,*** | |
| *******************.ch |  Switzerland | **,***,*** |
FAQ
CVE-2025-4520 is Missing Authorization in Uncanny Automator
A total of 234 websites have been identified as vulnerable to CVE-2025-4520, based on global website indexing conducted by WebTechSurvey.
The Uncanny Automator is affected by the CVE-2025-4520 vulnerability.
Uncanny Automator versions up to and including 6.4.0.2 are vulnerable to CVE-2025-4520.