Where should operators start on this Plugin hub?

Start with the priority CVE quick links, then open the full report for affected versions, remediation notes, CVSS vectors, and source references.

Plugin Vulnerability Hub

Plugin 12 known issues Latest disclosed Jun 03, 2026

AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress Vulnerabilities

Q: How many AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress vulnerabilities have patch guidance?

12 of 12 tracked AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress records include a published patch path.

Review known vulnerability records for the WordPress plugin AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress (`automatorwp`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-42775, CVE-2026-42650 and CVE-2026-40785, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed

Known Records

High or Critical

Patch Coverage

100%

Last Updated

Jun 08, 2026

Related Security Guides

Use these guides while reviewing AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress fixes

Pair this plugin vulnerability hub with practical WordPress hardening, scanner, and patch workflow guidance.

Hardening

WordPress hardening checklist for exposed plugins

Review patch cadence, privileged access, XML-RPC exposure, backups, and monitoring controls.

Plugin Security

WordPress plugin security basics for patch decisions

Use ownership, update testing, least privilege, and removal criteria to reduce plugin risk.

Scanning

WordPress vulnerability scanner buyer's guide

Compare scanner coverage for plugin CVEs, version detection, alert noise, and remediation workflow.

Patch Decision Workflow

How to prioritize AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress remediation

Use the hub as a decision layer before opening individual records: confirm whether the issue has a CVE, whether a fixed version exists, and whether the affected range overlaps production installs.

Search-Ready Records

1. Match the Package

Confirm the installed WordPress plugin slug is automatorwp before acting on any CVE from this cluster.

2. Sort by Severity

Start with 6 high or critical records, then review medium and unrated findings with public references.

3. Check Patch Evidence

12 records include a patch path; verify compatibility before closing the finding.

4. Monitor Gaps

0 records still lack a listed fixed release, so keep this hub in the review queue.

High-Signal Remediation Targets

CVE-2024-12626 Critical

Cross-Site Scripting remediation for AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress

Affected range: Versions up to 5.0.9. Fixed version: 5.1.0.

CVE-2021-24717 High

Privilege Escalation remediation for AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress

Affected range: Versions before 1.7.6. Fixed version: 1.7.6.

CVE-2025-9539 High

Remote Code Execution remediation for AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress

Affected range: Versions up to 5.3.6. Fixed version: 5.3.7.

CVE-2026-42775 High

Stored Cross-Site Scripting remediation for AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress

Affected range: Versions up to 5.7.2. Fixed version: 5.7.3.

Priority CVE Quick Links

Fast paths into AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs

Tracked CVE	Issue Type	Affected Versions	Fixed Version	CVSS
CVE-2024-12626 AutomatorWP <= 5.0.9 - Reflected Cross-Site Scripting via a-0-o-search_field_value	Cross-Site Scripting	Versions up to 5.0.9	5.1.0	CVSS 9.6
CVE-2021-24717 AutomatorWP <= 1.7.5 - Privilege Escalation	Privilege Escalation	Versions before 1.7.6	1.7.6	CVSS 8.8
CVE-2025-9539 AutomatorWP – Automator plugin for no-code automations, webhooks & custom integratio...	Remote Code Execution	Versions up to 5.3.6	5.3.7	CVSS 8.0
CVE-2026-42775 AutomatorWP – Automator plugin for no-code automations, webhooks & custom integratio...	Stored Cross-Site Scripting	Versions up to 5.7.2	5.7.3	CVSS 7.2
CVE-2026-42650 AutomatorWP – Automator plugin for no-code automations, webhooks & custom integratio...	Stored Cross-Site Scripting	Versions up to 5.6.7	5.6.8	CVSS 7.2
CVE-2025-5487 AutomatorWP <= 5.2.5 - Authenticated (Administrator+) SQL Injection via field_condit...	SQL Injection	Versions up to 5.2.5	5.2.6	CVSS 7.2
CVE-2025-9542 AutomatorWP <= 5.3.7 - Authenticated (Subscriber+) Missing Authorization to Multiple...	Vulnerability	Versions up to 5.3.7	5.3.8	CVSS 5.4
CVE-2025-68561 AutomatorWP <= 5.2.4 - Authenticated (Administrator+) SQL Injection	SQL Injection	Versions up to 5.2.4	5.2.5	CVSS 4.9

CVE-2024-12626 Critical 5.1.0

CVE-2024-12626 AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress Cross-Site Scripting

AutomatorWP <= 5.0.9 - Reflected Cross-Site Scripting via a-0-o-search_field_value

CVE-2021-24717 High 1.7.6

CVE-2021-24717 AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress Privilege Escalation

AutomatorWP <= 1.7.5 - Privilege Escalation

CVE-2025-9539 High 5.3.7

CVE-2025-9539 AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress Remote Code Execution

AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress <= 5.3.6 - Missing Authorization To Authenticated (Subscriber+) Remote Code Execution via Automation Creation

CVE-2026-42775 High 5.7.3

CVE-2026-42775 AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress Stored Cross-Site Scripting

AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress <= 5.7.2 - Unauthenticated Stored Cross-Site Scripting

CVE-2026-42650 High 5.6.8

CVE-2026-42650 AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress Stored Cross-Site Scripting

AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress <= 5.6.7 - Unauthenticated Stored Cross-Site Scripting

CVE-2025-5487 High 5.2.6

CVE-2025-5487 AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress SQL Injection

AutomatorWP <= 5.2.5 - Authenticated (Administrator+) SQL Injection via field_conditions

CVE-2025-9542 Medium 5.3.8

CVE-2025-9542 AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress Vulnerability

AutomatorWP <= 5.3.7 - Authenticated (Subscriber+) Missing Authorization to Multiple Functions

CVE-2025-68561 Medium 5.2.5

CVE-2025-68561 AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress SQL Injection

AutomatorWP <= 5.2.4 - Authenticated (Administrator+) SQL Injection

Coverage Snapshot

What this page helps you verify fast

This hub clusters tracked records for AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility

12 records include a published patch path, leaving 0 with no listed safe release yet.

Severity Mix

1 critical and 5 high severity findings.

Recent CVEs

CVE-2026-42775, CVE-2026-42650 and CVE-2026-40785

Reference Workflow

Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.

Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

CVE-2026-42775 High Patch path listed

CVE-2026-42775: AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress <= 5.7.2 - Unauthenticated Stored Cross-Site Scripting

The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, a...

Published

Jun 03, 2026

Patch Status

5.7.3

Review CVE-2026-42775 affected versions

CVE-2026-42650 High Patch path listed

CVE-2026-42650: AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress <= 5.6.7 - Unauthenticated Stored Cross-Site Scripting

The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, a...

Published

Apr 29, 2026

Patch Status

5.6.8

Review CVE-2026-42650 affected versions

CVE-2026-40785 Medium Patch path listed

CVE-2026-40785: AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress <= 5.6.7 - Missing Authorization

The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to unauthorized access due to a missing capability...

Published

Apr 23, 2026

Patch Status

5.6.8

Review CVE-2026-40785 affected versions

Known Vulnerabilities

Reports for AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress

Sorted by latest disclosure date so newly published issues surface first.

Plugin High Patched: Yes CVE-2026-42775

CVE-2026-42775: AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress <= 5.7.2 - Unauthenticated Stored Cross-Site Scripting

The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 5.7.2 due to insufficient input sanitization and output escaping. This makes...

Published

Jun 03, 2026

Patched Release

5.7.3

Affected Versions

Versions up to 5.7.2

Next Step

Update to 5.7.3 or newer if supported.

Review CVE-2026-42775 fixed version details Open CVE Reference

Plugin High Patched: Yes CVE-2026-42650

CVE-2026-42650: AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress <= 5.6.7 - Unauthenticated Stored Cross-Site Scripting

The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 5.6.7 due to insufficient input sanitization and output escaping. This makes...

Published

Apr 29, 2026

Patched Release

5.6.8

Affected Versions

Versions up to 5.6.7

Next Step

Update to 5.6.8 or newer if supported.

Review CVE-2026-42650 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2026-40785

CVE-2026-40785: AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress <= 5.6.7 - Missing Authorization

The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 5.6.7. This makes it possible fo...

Published

Apr 23, 2026

Patched Release

5.6.8

Affected Versions

Versions up to 5.6.7

Next Step

Update to 5.6.8 or newer if supported.

Review CVE-2026-40785 fixed version details Open CVE Reference

Plugin High Patched: Yes CVE-2025-9539

CVE-2025-9539: AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress <= 5.3.6 - Missing Authorization To Authenticated (Subscriber+) Remote Code Execution via Automation Creation

The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the automatorwp_ajax_import_automation_from_url function in all ver...

Published

Sep 08, 2025

Patched Release

5.3.7

Affected Versions

Versions up to 5.3.6

Next Step

Update to 5.3.7 or newer if supported.

Review CVE-2025-9539 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-9542

CVE-2025-9542: AutomatorWP <= 5.3.7 - Authenticated (Subscriber+) Missing Authorization to Multiple Functions

The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on multiple plugin's functions in all versions up to, and i...

Published

Sep 08, 2025

Patched Release

5.3.8

Affected Versions

Versions up to 5.3.7

Next Step

Update to 5.3.8 or newer if supported.

Review CVE-2025-9542 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-68561

CVE-2025-68561: AutomatorWP <= 5.2.4 - Authenticated (Administrator+) SQL Injection

The AutomatorWP plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 5.2.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers...

Published

Jun 19, 2025

Patched Release

5.2.5

Affected Versions

Versions up to 5.2.4

Next Step

Update to 5.2.5 or newer if supported.

Review CVE-2025-68561 fixed version details Open CVE Reference

Plugin High Patched: Yes CVE-2025-5487

CVE-2025-5487: AutomatorWP <= 5.2.5 - Authenticated (Administrator+) SQL Injection via field_conditions

The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the field_conditions parameter in all versions up to, and including, 5.2.3 due to insufficient escaping on th...

Published

Jun 13, 2025

Patched Release

5.2.6

Affected Versions

Versions up to 5.2.5

Next Step

Update to 5.2.6 or newer if supported.

Review CVE-2025-5487 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-48280

CVE-2025-48280: AutomatorWP <= 5.2.1.3 - Authenticated (Administrator+) SQL Injection

The AutomatorWP plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 5.2.1.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attacke...

Published

May 19, 2025

Patched Release

5.2.2

Affected Versions

Versions up to 5.2.1.3

Next Step

Update to 5.2.2 or newer if supported.

Review CVE-2025-48280 fixed version details Open CVE Reference

Plugin Critical Patched: Yes CVE-2024-12626

CVE-2024-12626: AutomatorWP <= 5.0.9 - Reflected Cross-Site Scripting via a-0-o-search_field_value

The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘a-0-o-search_field_value’ parameter in all versions up to, and including, 5.0.9 due to insufficien...

Published

Dec 18, 2024

Patched Release

5.1.0

Affected Versions

Versions up to 5.0.9

Next Step

Update to 5.1.0 or newer if supported.

Review CVE-2024-12626 fixed version details Open CVE Reference

Plugin Medium Patched: Yes

AutomatorWP <= 2.5.8 - Cross Site Request Forgery via bulk_delete

The AutomatorWP plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.5.8. This is due to missing or incorrect nonce validation on the bulk_delete() function. This makes it possible for unauthenticated attackers to bulk delete CT obj...

Published

Feb 14, 2023

Patched Release

2.5.9

Affected Versions

Versions up to 2.5.8

Next Step

Update to 2.5.9 or newer if supported.

Review AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress vulnerability details

Plugin Medium Patched: Yes CVE-2023-23992

CVE-2023-23992: AutomatorWP <= 2.5.0 - Cross Site Request Forgery

The AutomatorWP plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.5.0. This is due to missing nonce validation on the delete() function. This makes it possible for unauthenticated attackers to delete display settings, granted the...

Published

Jan 20, 2023

Patched Release

2.5.1

Affected Versions

Versions up to 2.5.0

Next Step

Update to 2.5.1 or newer if supported.

Review CVE-2023-23992 fixed version details Open CVE Reference

Plugin High Patched: Yes CVE-2021-24717

CVE-2021-24717: AutomatorWP <= 1.7.5 - Privilege Escalation

The AutomatorWP WordPress plugin before 1.7.6 does not perform capability checks which allows users with Subscriber roles to enumerate automations, disclose title of private posts or user emails, call functions, or perform privilege escalation via Ajax actions.

Published

Sep 28, 2021

Patched Release

1.7.6

Affected Versions

Versions before 1.7.6

Next Step

Update to 1.7.6 or newer if supported.

Review CVE-2021-24717 fixed version details Open CVE Reference