Description
The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the automatorwp_ajax_import_automation_from_url function in all versions up to, and including, 5.3.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary automations, which can lead to Remote Code Execution or Privilege escalation once such automation is activated by the administrator
Published: 2025-09-09
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The AutomatorWP plugin contains a missing capability check on the automatorwp_ajax_import_automation_from_url function, allowing any authenticated user with Subscriber access or higher to create arbitrary automations. Those automations can contain malicious code that is executed when an administrator activates them, leading to remote code execution and potential privilege escalation. The attack grants control over the WordPress site, compromising confidentiality, integrity, and availability.

Affected Systems

WordPress sites running the AutomatorWP – Automator plugin version 5.3.6 or earlier are affected. The plugin is provided by rubengc. All prior releases to and including 5.3.6 lack the necessary authorization check.

Risk and Exploitability

The CVSS score of 8 indicates high severity, but the EPSS score of less than 1% suggests a low to moderate likelihood of exploitation in the wild at the time of analysis. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is an authenticated attacker who can log into the site as a Subscriber or higher; by calling the protected endpoint they can craft a malicious automation, which is then executed when an administrator activates it.

Generated by OpenCVE AI on April 21, 2026 at 03:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the AutomatorWP plugin to the latest available version that removes the missing capability check.
  • If an update is not immediately possible, revoke or re‑grant the capability that allows importing automations to all Subscriber levels so that only administrators can create them.
  • Configure audit logging and monitor the admin/automations pages for unexpected automation creation activities by users with Subscriber or lower roles.

Generated by OpenCVE AI on April 21, 2026 at 03:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27224 The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the automatorwp_ajax_import_automation_from_url function in all versions up to, and including, 5.3.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary automations, which can lead to Remote Code Execution or Privilege escalation once such automation is activated by the administrator
History

Tue, 09 Sep 2025 23:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Sep 2025 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Automatorwp
Automatorwp automatorwp
Wordpress
Wordpress wordpress
Vendors & Products Automatorwp
Automatorwp automatorwp
Wordpress
Wordpress wordpress

Tue, 09 Sep 2025 07:00:00 +0000

Type Values Removed Values Added
Description The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the automatorwp_ajax_import_automation_from_url function in all versions up to, and including, 5.3.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary automations, which can lead to Remote Code Execution or Privilege escalation once such automation is activated by the administrator
Title AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress <= 5.3.6 - Missing Authorization To Authenticated (Subscriber+) Remote Code Execution via Automation Creation
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Automatorwp Automatorwp
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:11:51.505Z

Reserved: 2025-08-27T12:25:37.390Z

Link: CVE-2025-9539

cve-icon Vulnrichment

Updated: 2025-09-09T19:26:53.134Z

cve-icon NVD

Status : Deferred

Published: 2025-09-09T07:15:33.313

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9539

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T03:15:16Z

Weaknesses