CVE Alert: CVE-2025-9539 – rubengc – AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress
CVE-2025-9539
The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the automatorwp_ajax_import_automation_from_url function in all versions up to, and including, 5.3.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary automations, which can lead to Remote Code Execution or Privilege escalation once such automation is activated by the administrator
AI Summary Analysis
Risk verdict
High risk. Authenticated Subscriber+ users can craft harmful automations via the vulnerable import function, and an administrator-activated automation can lead to remote code execution or privilege escalation.
Why this matters
WordPress sites relying on AutomatorWP for no-code automations are exposed to site compromise, data manipulation, or persistence from low-privilege actors. The attack chain leverages normal admin workflows, making breaches harder to detect and potentially enabling broader admin-level access.
Most likely attack path
An authenticated user with Subscriber+ rights creates a malicious automation through the import endpoint. The attacker relies on UI interaction and low preconditions (no remote access needed). When an administrator activates the crafted automation, code execution or privilege escalation becomes possible, enabling further compromise or lateral movement within the WordPress instance.
Who is most exposed
Sites using AutomatorWP <= 5.3.6, especially those with many low-privilege accounts (subscribers/editors) and permissive automation/import workflows. Shared hosting or multi-tenant WordPress deployments are at higher risk due to broader exposure of the automation import feature.
Detection ideas
- Sudden surge of new automations created by low-privilege users.
- Imports containing unusual or obfuscated automation payloads.
- Admin actions triggered shortly after a suspicious import.
- Unexplained PHP errors or code execution indicators in logs.
- Anomalous outbound connections or external webhook activity tied to automations.
Mitigation and prioritisation
- Patch to 5.3.6 or latest; disable or restrict import automation for non-admin roles until patched.
- Enforce least-privilege access for automation creation; review user role assignments.
- Apply WAF/IPS rules targeting the vulnerable endpoint and monitor automation activity logs.
- Test updates in a staging environment before production rollout; implement change-management notes.
- If KEV true or EPSS ≥ 0.5, treat as priority 1.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
