Plugin Vulnerability Hub
Plugin 11 known issues Latest disclosed Apr 29, 2026

AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress Vulnerabilities

Review known vulnerability records for the WordPress plugin AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress (`automatorwp`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-42650, CVE-2026-40785 and CVE-2025-9539, so operators can jump from disclosure to patch validation without scanning the full feed first.

Known Records
11
High or Critical
5
Patch Coverage
100%
Last Updated
May 04, 2026
Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
11 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
1 critical and 4 high severity findings.
Recent CVEs
CVE-2026-42650, CVE-2026-40785 and CVE-2025-9539
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

CVE-2025-9539 High Patch path listed

AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress <= 5.3.6 - Missing Authorization To Authenticated (Subscriber+) Remote Code Execution via Automation Creation

The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missi...

Published
Sep 08, 2025
Patch Status
5.3.7
Known Vulnerabilities

Reports for AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress

Sorted by latest disclosure date so newly published issues surface first.

Plugin High Patched: Yes CVE-2026-42650
AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress <= 5.6.7 - Unauthenticated Stored Cross-Site Scripting

The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 5.6.7 due to insufficient input sanitization and output escaping. This makes...

Published
Apr 29, 2026
Patched Release
5.6.8
Affected Versions
Versions up to 5.6.7
Next Step
Update to 5.6.8 or newer if supported.
Plugin Medium Patched: Yes CVE-2026-40785
AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress <= 5.6.7 - Missing Authorization

The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 5.6.7. This makes it possible fo...

Published
Apr 23, 2026
Patched Release
5.6.8
Affected Versions
Versions up to 5.6.7
Next Step
Update to 5.6.8 or newer if supported.
Plugin High Patched: Yes CVE-2025-9539
AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress <= 5.3.6 - Missing Authorization To Authenticated (Subscriber+) Remote Code Execution via Automation Creation

The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the automatorwp_ajax_import_automation_from_url function in all ver...

Published
Sep 08, 2025
Patched Release
5.3.7
Affected Versions
Versions up to 5.3.6
Next Step
Update to 5.3.7 or newer if supported.
Plugin Medium Patched: Yes CVE-2025-9542
AutomatorWP <= 5.3.7 - Authenticated (Subscriber+) Missing Authorization to Multiple Functions

The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on multiple plugin's functions in all versions up to, and i...

Published
Sep 08, 2025
Patched Release
5.3.8
Affected Versions
Versions up to 5.3.7
Next Step
Update to 5.3.8 or newer if supported.
Plugin Medium Patched: Yes CVE-2025-68561
AutomatorWP <= 5.2.4 - Authenticated (Administrator+) SQL Injection

The AutomatorWP plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 5.2.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers...

Published
Jun 19, 2025
Patched Release
5.2.5
Affected Versions
Versions up to 5.2.4
Next Step
Update to 5.2.5 or newer if supported.
Plugin High Patched: Yes CVE-2025-5487
AutomatorWP <= 5.2.5 - Authenticated (Administrator+) SQL Injection via field_conditions

The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the field_conditions parameter in all versions up to, and including, 5.2.3 due to insufficient escaping on th...

Published
Jun 13, 2025
Patched Release
5.2.6
Affected Versions
Versions up to 5.2.5
Next Step
Update to 5.2.6 or newer if supported.
Plugin Medium Patched: Yes CVE-2025-48280
AutomatorWP <= 5.2.1.3 - Authenticated (Administrator+) SQL Injection

The AutomatorWP plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 5.2.1.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attacke...

Published
May 19, 2025
Patched Release
5.2.2
Affected Versions
Versions up to 5.2.1.3
Next Step
Update to 5.2.2 or newer if supported.
Plugin Critical Patched: Yes CVE-2024-12626
AutomatorWP <= 5.0.9 - Reflected Cross-Site Scripting via a-0-o-search_field_value

The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘a-0-o-search_field_value’ parameter in all versions up to, and including, 5.0.9 due to insufficien...

Published
Dec 18, 2024
Patched Release
5.1.0
Affected Versions
Versions up to 5.0.9
Next Step
Update to 5.1.0 or newer if supported.
Plugin Medium Patched: Yes
AutomatorWP <= 2.5.8 - Cross Site Request Forgery via bulk_delete

The AutomatorWP plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.5.8. This is due to missing or incorrect nonce validation on the bulk_delete() function. This makes it possible for unauthenticated attackers to bulk delete CT obj...

Published
Feb 14, 2023
Patched Release
2.5.9
Affected Versions
Versions up to 2.5.8
Next Step
Update to 2.5.9 or newer if supported.
Plugin Medium Patched: Yes CVE-2023-23992
AutomatorWP <= 2.5.0 - Cross Site Request Forgery

The AutomatorWP plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.5.0. This is due to missing nonce validation on the delete() function. This makes it possible for unauthenticated attackers to delete display settings, granted the...

Published
Jan 20, 2023
Patched Release
2.5.1
Affected Versions
Versions up to 2.5.0
Next Step
Update to 2.5.1 or newer if supported.
Plugin High Patched: Yes CVE-2021-24717
AutomatorWP <= 1.7.5 - Privilege Escalation

The AutomatorWP WordPress plugin before 1.7.6 does not perform capability checks which allows users with Subscriber roles to enumerate automations, disclose title of private posts or user emails, call functions, or perform privilege escalation via Ajax actions.

Published
Sep 28, 2021
Patched Release
1.7.6
Affected Versions
Versions before 1.7.6
Next Step
Update to 1.7.6 or newer if supported.