Description
Subscriber Broken Authentication in AutomatorWP <= 5.6.7 versions.
Published: 2026-06-15
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a broken authentication flaw (CWE‑288) in WordPress AutomatorWP plugin versions up to 5.6.7. It allows an attacker to impersonate any user without providing valid credentials, potentially giving them unauthorized access to administrative functions or to content creation and automation workflows. The impact includes unauthorized disclosure of site content, modification of site data, and possible further privilege escalation.

Affected Systems

The affected product is the WordPress AutomatorWP plugin developed by Ruben Garcia. All releases through 5.6.7 are vulnerable; newer releases (5.6.8 and later) contain a patch that restores correct authentication handling. Sites that run any of these affected versions—particularly those using the plugin for critical automation tasks—are at risk.

Risk and Exploitability

The CVSS score of 7.1 indicates moderate to high severity, while the EPSS score of less than 1 % suggests a low current exploitation probability. The vulnerability is not listed in CISA’s KEV catalog, meaning no known large‑scale exploits have been reported yet. The likely attack vector is a web‑based authentication request; attackers can submit requests that bypass authentication checks. Even though exploitation is not widespread, the risk to sites that remain unpatched is significant, especially if the plugin is used by privileged accounts.

Generated by OpenCVE AI on June 16, 2026 at 22:26 UTC.

Remediation

Vendor Solution

Update the WordPress AutomatorWP Plugin to the latest available version (at least 5.6.8).

OpenCVE Recommended Actions

  • Update the AutomatorWP plugin to the latest stable release (version ≥ 5.6.8).
  • Review site logs for anomalous authentication activity that may indicate exploitation during the vulnerable period.
  • Enable two‑factor authentication for all administrator and high‑privilege accounts and restrict access to the WordPress admin area to trusted IP addresses.

Generated by OpenCVE AI on June 16, 2026 at 22:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Subscriber Broken Authentication in AutomatorWP <= 5.6.7 versions.
Title WordPress AutomatorWP plugin <= 5.6.7 - Broken Authentication vulnerability
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-15T22:27:23.338Z

Reserved: 2026-04-15T09:20:42.117Z

Link: CVE-2026-40785

cve-icon Vulnrichment

Updated: 2026-06-15T22:27:15.511Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:50.827

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-40785

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T22:30:05Z

Weaknesses
  • CWE-288

    Authentication Bypass Using an Alternate Path or Channel