Uncannyowl Uncannyowl

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Uncannyowl product.

RSS Feeds for Uncannyowl security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Uncannyowl products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Uncannyowl Sorted by Most Security Vulnerabilities since 2018

Uncannyowl Uncanny Automator10 vulnerabilities

By the Year

In 2026 there have been 2 vulnerabilities in Uncannyowl with an average score of 6.8 out of ten. Last year, in 2025 Uncannyowl had 6 security vulnerabilities published. Right now, Uncannyowl is on track to have less security vulnerabilities in 2026 than it did last year. Last year, the average CVE base score was greater by 0.17




Year Vulnerabilities Average Score
2026 2 6.80
2025 6 6.97
2024 7 6.57
2023 1 4.30

It may take a day or so for new Uncannyowl vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Uncannyowl Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-2269 Mar 03, 2026
Uncanny Automator <=7.0.0.3 SSRF via download_url() (CVE-2026-2269) The Uncanny Automator Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.0.0.3 via the download_url() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Additionally, the plugin stores the contents of the remote files on the server, which can be leveraged to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVE-2025-15522 Jan 23, 2026
Uncanny Automator v6.10.0.2 XSS via automator_discord_user_mapping shortcode The Uncanny Automator Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the automator_discord_user_mapping shortcode in all versions up to, and including, 6.10.0.2 due to insufficient input sanitization and output escaping on the verified_message parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user with a verified Discord account accesses the injected page.
CVE-2025-66056 Nov 21, 2025
Unauth Control Sphere: Sensitive Data Exposure in Uncanny Automator <6.10.0 Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Uncanny Owl Uncanny Automator uncanny-automator allows Retrieve Embedded Sensitive Data.This issue affects Uncanny Automator: from n/a through < 6.10.0.
Uncanny Automator
CVE-2025-48133 Jun 05, 2025
Uncanny Automator v6.4.0.2: Missing Auth Exploiting Access Control Missing Authorization vulnerability in Uncanny Owl Uncanny Automator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Uncanny Automator: from n/a through 6.4.0.2.
Uncanny Automator
CVE-2025-4520 May 14, 2025
Unauth Data Mod in Uncanny Automator WP Plugin <=6.4.0.2 via Missing Cap Check The Uncanny Automator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple AJAX functions in versions up to, and including, 6.4.0.2. This makes it possible for authenticated attackers, with subscriber-level permissions or above to update plugin settings.
Uncanny Automator
CVE-2025-3623 May 14, 2025
Uncanny Automator PHP Object Injection v<=6.4.0.1 via automator_api_decode_message() The Uncanny Automator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.4.0.1 via deserialization of untrusted input in the automator_api_decode_message() function. This makes it possible for unauthenticated to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files.
Uncanny Automator
CVE-2025-2075 Apr 04, 2025
Uncanny Automator WP Plugin v6.3.0.2 – Auth Priv Esc via role() w/o checks The Uncanny Automator Easy Automation, Integration, Webhooks & Workflow Builder Plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.3.0.2. This is due to add_role() and user_role() functions missing proper capability checks performed through the validate_rest_call() function. This makes it possible for unauthenticated attackers to set the role of arbitrary users to administrator granting full access to the site, though privilege escalation requires an active account on the site so this is considered an authenticated privilege escalation.
Uncanny Automator
CVE-2024-13838 Mar 12, 2025
Uncanny Automator <=6.2 SSRF via call_webhook Admin The Uncanny Automator Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.2 via the 'call_webhook' method of the Automator_Send_Webhook class This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Uncanny Automator
CVE-2024-37119 Nov 01, 2024
Uncanny Automator Pro Missing Auth Vulnerability Before 5.3.0.0 Missing Authorization vulnerability in Uncanny Owl Uncanny Automator Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Uncanny Automator Pro: from n/a through 5.3.0.0.
Uncanny Automator
CVE-2024-8350 Sep 25, 2024
Uncanny Groups REST API Add User Capability Check Bypass (<=6.1.0.1) The Uncanny Groups for LearnDash plugin for WordPress is vulnerable to user group add due to a missing capability check on the /wp-json/ulgm_management/v1/add_user/ REST API endpoint in all versions up to, and including, 6.1.0.1. This makes it possible for authenticated attackers, with group leader-level access and above, to add users to their group which ultimately allows them to leverage CVE-2024-8349 and gain admin access to the site.
Uncanny Groups For Learndash
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.