Primary

Context

AutomatorWP WordPress Plugin Missing Capability Check Vulnerability Allowing Remote Code Execution

Vulnerability

Patched

A vulnerability exists in the AutomatorWP WordPress plugin, specifically in versions through 5.3.6, due to a missing capability check in the 'automatorwp_ajax_import_automation_from_url' function. This flaw allows authenticated attackers with Subscriber-level access and above to create arbitrary automations. Once activated by an administrator, these automations could lead to remote code execution or privilege escalation.

Impact

Exploitation of this vulnerability could result in unauthorized data modification, with the potential for remote code execution or privilege escalation, depending on the actions created through the vulnerable function.

Remediation

Users are advised to update the AutomatorWP WordPress plugin to version 5.3.7 or a newer patched version.

Added: Sep 9, 2025, 7:18 AM

Updated: Sep 9, 2025, 7:18 AM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

10.0

exploitability

6.1

remediation

7.7

relevance

0.5

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

10.0

exploitability

6.1

remediation

7.7

relevance

0.5

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

AutomatorWP WordPress Plugin Missing Capability Check Vulnerability Allowing Remote Code Execution

Vulnerability

Impact

Remediation

Affected Products

AutomatorWP

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating