Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress

Source -

CNA

CNA CVEs -

4

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

0
Related CVEsRelated VendorsRelated AssignersReports
4Vulnerabilities found
CVE-2025-9539
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-8||HIGH
EPSS-0.21% / 43.97%
||
7 Day CHG~0.00%
Published-09 Sep, 2025 | 06:40
Updated-08 Apr, 2026 | 17:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress <= 5.3.6 - Missing Authorization To Authenticated (Subscriber+) Remote Code Execution via Automation Creation

The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the automatorwp_ajax_import_automation_from_url function in all versions up to, and including, 5.3.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary automations, which can lead to Remote Code Execution or Privilege escalation once such automation is activated by the administrator

Action-Not Available
Vendor-rubengc
Product-AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2025-9542
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-5.4||MEDIUM
EPSS-0.04% / 12.53%
||
7 Day CHG~0.00%
Published-09 Sep, 2025 | 06:40
Updated-08 Apr, 2026 | 16:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AutomatorWP <= 5.3.7 - Authenticated (Subscriber+) Missing Authorization to Multiple Functions

The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on multiple plugin's functions in all versions up to, and including, 5.3.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify integration settings or view existing automations.

Action-Not Available
Vendor-rubengc
Product-AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress
CWE ID-CWE-862
Missing Authorization
CVE-2025-5487
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-7.2||HIGH
EPSS-0.24% / 47.05%
||
7 Day CHG~0.00%
Published-14 Jun, 2025 | 06:41
Updated-08 Apr, 2026 | 16:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AutomatorWP <= 5.2.5 - Authenticated (Administrator+) SQL Injection via field_conditions

The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the field_conditions parameter in all versions up to, and including, 5.2.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Administrators can configure the plugin to allow access to this functionality to authors and higher.

Action-Not Available
Vendor-rubengc
Product-AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-12626
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-9.6||CRITICAL
EPSS-3.28% / 87.21%
||
7 Day CHG~0.00%
Published-19 Dec, 2024 | 11:14
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
AutomatorWP <= 5.0.9 - Reflected Cross-Site Scripting via a-0-o-search_field_value

The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘a-0-o-search_field_value’ parameter in all versions up to, and including, 5.0.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. When used in conjunction with the plugin's import and code action feature, this vulnerability can be leveraged to execute arbitrary code.

Action-Not Available
Vendor-rubengc
Product-AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')