Impact
Unauthenticated Cross Site Scripting (XSS) exists in all AutomatorWP plugin versions up to and including 5.6.7. This weakness allows an attacker to inject arbitrary client‑side scripts that will execute when a susceptible page is rendered. The impact of a successful exploit includes defacement, theft of user credentials or session cookies, and other operations that can be performed by the victim’s browser. The flaw is a classic input validation failure under CWE‑79.
Affected Systems
The vulnerability affects WordPress sites that use the AutomatorWP plugin developed by Ruben Garcia. All plugin releases with version numbers less than or equal to 5.6.7 are impacted; newer releases (5.6.8 and above) contain the fix.
Risk and Exploitability
The CVSS score of 7.2 indicates a high‑severity risk and the EPSS score of less than 1% suggests that exploitation attempts are expected to be rare. The vulnerability is not listed in CISA's KEV, reducing the likelihood of known exploitation. Attackers could inject malicious JavaScript via unauthenticated requests; no special privileges or credentials are required. The impact is primarily client‑side but may compromise the privacy of users and the integrity of the site content.
OpenCVE Enrichment