Impact
The vulnerability is a broken authentication flaw (CWE‑288) found in WordPress AutomatorWP plugin versions up to 5.6.7. It allows an attacker to bypass normal login checks, potentially impersonating any user account on the site. Based on the description, it is inferred that an attacker can submit specially crafted authentication requests that the plugin accepts without verifying valid credentials, resulting in unauthorized access to administrative functions, content creation, or automated workflows.
Affected Systems
The affected product is the WordPress AutomatorWP plugin developed by Ruben Garcia. All releases through 5.6.7 are vulnerable; newer releases (5.6.8 and later) contain a patch that restores correct authentication handling. Websites that run any of these affected versions—and especially those that rely on the plugin for critical automation tasks—are at risk.
Risk and Exploitability
The CVSS score of 7.1 indicates a moderate to high severity, while the EPSS score of less than 1 % suggests a low current exploitation probability. The vulnerability is not listed in CISA’s KEV catalog, meaning no large‑scale exploits have been reported yet. The likely attack vector is a web‑based authentication request; attackers can submit requests that bypass authentication checks. Although exploitation is not widespread, the risk to unpatched sites remains significant, particularly if the plugin is used by privileged accounts.
OpenCVE Enrichment