Uncannyowl
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Uncannyowl product.
RSS Feeds for Uncannyowl security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Uncannyowl products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Uncannyowl Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2026 there have been 2 vulnerabilities in Uncannyowl with an average score of 6.8 out of ten. Last year, in 2025 Uncannyowl had 6 security vulnerabilities published. Right now, Uncannyowl is on track to have less security vulnerabilities in 2026 than it did last year. Last year, the average CVE base score was greater by 0.17
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 2 | 6.80 |
| 2025 | 6 | 6.97 |
| 2024 | 7 | 6.57 |
| 2023 | 1 | 4.30 |
It may take a day or so for new Uncannyowl vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Uncannyowl Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-2269 | Mar 03, 2026 |
Uncanny Automator <=7.0.0.3 SSRF via download_url() (CVE-2026-2269)The Uncanny Automator Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.0.0.3 via the download_url() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Additionally, the plugin stores the contents of the remote files on the server, which can be leveraged to upload arbitrary files on the affected site's server which may make remote code execution possible. |
|
| CVE-2025-15522 | Jan 23, 2026 |
Uncanny Automator v6.10.0.2 XSS via automator_discord_user_mapping shortcodeThe Uncanny Automator Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the automator_discord_user_mapping shortcode in all versions up to, and including, 6.10.0.2 due to insufficient input sanitization and output escaping on the verified_message parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user with a verified Discord account accesses the injected page. |
|
| CVE-2025-66056 | Nov 21, 2025 |
Unauth Control Sphere: Sensitive Data Exposure in Uncanny Automator <6.10.0Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Uncanny Owl Uncanny Automator uncanny-automator allows Retrieve Embedded Sensitive Data.This issue affects Uncanny Automator: from n/a through < 6.10.0. |
|
| CVE-2025-48133 | Jun 05, 2025 |
Uncanny Automator v6.4.0.2: Missing Auth Exploiting Access ControlMissing Authorization vulnerability in Uncanny Owl Uncanny Automator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Uncanny Automator: from n/a through 6.4.0.2. |
|
| CVE-2025-4520 | May 14, 2025 |
Unauth Data Mod in Uncanny Automator WP Plugin <=6.4.0.2 via Missing Cap CheckThe Uncanny Automator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple AJAX functions in versions up to, and including, 6.4.0.2. This makes it possible for authenticated attackers, with subscriber-level permissions or above to update plugin settings. |
|
| CVE-2025-3623 | May 14, 2025 |
Uncanny Automator PHP Object Injection v<=6.4.0.1 via automator_api_decode_message()The Uncanny Automator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.4.0.1 via deserialization of untrusted input in the automator_api_decode_message() function. This makes it possible for unauthenticated to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files. |
|
| CVE-2025-2075 | Apr 04, 2025 |
Uncanny Automator WP Plugin v6.3.0.2 – Auth Priv Esc via role() w/o checksThe Uncanny Automator Easy Automation, Integration, Webhooks & Workflow Builder Plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.3.0.2. This is due to add_role() and user_role() functions missing proper capability checks performed through the validate_rest_call() function. This makes it possible for unauthenticated attackers to set the role of arbitrary users to administrator granting full access to the site, though privilege escalation requires an active account on the site so this is considered an authenticated privilege escalation. |
|
| CVE-2024-13838 | Mar 12, 2025 |
Uncanny Automator <=6.2 SSRF via call_webhook AdminThe Uncanny Automator Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.2 via the 'call_webhook' method of the Automator_Send_Webhook class This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. |
|
| CVE-2024-37119 | Nov 01, 2024 |
Uncanny Automator Pro Missing Auth Vulnerability Before 5.3.0.0Missing Authorization vulnerability in Uncanny Owl Uncanny Automator Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Uncanny Automator Pro: from n/a through 5.3.0.0. |
|
| CVE-2024-8350 | Sep 25, 2024 |
Uncanny Groups REST API Add User Capability Check Bypass (<=6.1.0.1)The Uncanny Groups for LearnDash plugin for WordPress is vulnerable to user group add due to a missing capability check on the /wp-json/ulgm_management/v1/add_user/ REST API endpoint in all versions up to, and including, 6.1.0.1. This makes it possible for authenticated attackers, with group leader-level access and above, to add users to their group which ultimately allows them to leverage CVE-2024-8349 and gain admin access to the site. |
|