Description
The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on multiple plugin's functions in all versions up to, and including, 5.3.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify integration settings or view existing automations.
Published: 2025-09-09
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized modification and viewing of automations via missing authorization check
Action: Apply patch
AI Analysis

Impact

The AutomatorWP plugin contains a missing capability check in several functions that allows any authenticated WordPress user with Subscriber level or higher to change integration settings and view existing automations. This flaw is a classic example of an authority problem (CWE-862) that enables privilege escalation within the WordPress environment. The impact is that attackers can alter or tamper with automation workflows, potentially leading to data leakage or disruption of automated processes.

Affected Systems

Affected systems are WordPress sites running AutomatorWP versions up through 5.3.7 inclusive. The plugin is distributed under the rubengc:AutomatorWP CNA and is expected to be installed via the WordPress plugin directory. Version information is limited to a maximum of 5.3.7, with no specific lower bound indicated.

Risk and Exploitability

The CVSS base score of 5.4 places this vulnerability in the medium severity range, reflecting that exploitation requires authenticated access but does not grant full system compromise. The EPSS score of less than 1% indicates a low observed probability of exploitation at this time. Because the flaw is not listed in the CISA KEV catalog, there are no known large‑scale exploit campaigns recorded. The likely attack vector is a legitimate login that the attacker uses to obtain Subscriber level rights, after which the missing capability check is leveraged to manipulate plugin data.

Generated by OpenCVE AI on April 21, 2026 at 03:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the AutomatorWP plugin to a version newer than 5.3.7 to apply the official fix
  • If an update is not immediately possible, deactivate or uninstall the plugin to remove the attack surface
  • Limit WordPress user roles to prevent Subscriber+ users from accessing administrative features that interact with AutomatorWP
  • Monitor WordPress logs for anomalous changes to automation settings or unauthorized view attempts

Generated by OpenCVE AI on April 21, 2026 at 03:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27225 The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on multiple plugin's functions in all versions up to, and including, 5.3.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify integration settings or view existing automations.
History

Tue, 09 Sep 2025 23:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Sep 2025 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Automatorwp
Automatorwp automatorwp
Wordpress
Wordpress wordpress
Vendors & Products Automatorwp
Automatorwp automatorwp
Wordpress
Wordpress wordpress

Tue, 09 Sep 2025 07:00:00 +0000

Type Values Removed Values Added
Description The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on multiple plugin's functions in all versions up to, and including, 5.3.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify integration settings or view existing automations.
Title AutomatorWP <= 5.3.7 - Authenticated (Subscriber+) Missing Authorization to Multiple Functions
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Automatorwp Automatorwp
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:57:11.328Z

Reserved: 2025-08-27T13:37:06.045Z

Link: CVE-2025-9542

cve-icon Vulnrichment

Updated: 2025-09-09T19:26:18.200Z

cve-icon NVD

Status : Deferred

Published: 2025-09-09T07:15:33.627

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9542

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T03:15:16Z

Weaknesses