Description
Subscriber Broken Authentication in AutomatorWP <= 5.6.7 versions.
Published: 2026-06-15
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a broken authentication flaw (CWE‑288) found in WordPress AutomatorWP plugin versions up to 5.6.7. It allows an attacker to bypass normal login checks, potentially impersonating any user account on the site. Based on the description, it is inferred that an attacker can submit specially crafted authentication requests that the plugin accepts without verifying valid credentials, resulting in unauthorized access to administrative functions, content creation, or automated workflows.

Affected Systems

The affected product is the WordPress AutomatorWP plugin developed by Ruben Garcia. All releases through 5.6.7 are vulnerable; newer releases (5.6.8 and later) contain a patch that restores correct authentication handling. Websites that run any of these affected versions—and especially those that rely on the plugin for critical automation tasks—are at risk.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate to high severity, while the EPSS score of less than 1 % suggests a low current exploitation probability. The vulnerability is not listed in CISA’s KEV catalog, meaning no large‑scale exploits have been reported yet. The likely attack vector is a web‑based authentication request; attackers can submit requests that bypass authentication checks. Although exploitation is not widespread, the risk to unpatched sites remains significant, particularly if the plugin is used by privileged accounts.

Generated by OpenCVE AI on June 18, 2026 at 03:26 UTC.

Remediation

Vendor Solution

Update the WordPress AutomatorWP Plugin to the latest available version (at least 5.6.8).


OpenCVE Recommended Actions

  • Update the AutomatorWP plugin to a patch‑equipped version (≥ 5.6.8).
  • Verify that the plugin’s authentication mechanisms are actively enforced by reviewing the plugin settings and removing any auto‑login or session bypass options.
  • If immediate patching is not possible, restrict administrator access to the WordPress admin area with IP filtering or two‑factor authentication to reduce the likelihood of successful impersonation.

Generated by OpenCVE AI on June 18, 2026 at 03:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Ruben Garcia
Ruben Garcia automatorwp
Wordpress
Wordpress wordpress
Vendors & Products Ruben Garcia
Ruben Garcia automatorwp
Wordpress
Wordpress wordpress

Mon, 15 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Subscriber Broken Authentication in AutomatorWP <= 5.6.7 versions.
Title WordPress AutomatorWP plugin <= 5.6.7 - Broken Authentication vulnerability
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H'}


Subscriptions

Ruben Garcia Automatorwp
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-15T22:27:23.338Z

Reserved: 2026-04-15T09:20:42.117Z

Link: CVE-2026-40785

cve-icon Vulnrichment

Updated: 2026-06-15T22:27:15.511Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:50.827

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-40785

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:07:30Z

Weaknesses
  • CWE-288

    Authentication Bypass Using an Alternate Path or Channel