Ruben Garcia AutomatorWP CVE-2025-68561
HIGHSeverity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ruben Garcia AutomatorWP automatorwp allows SQL Injection.This issue affects AutomatorWP: from n/a through <= 5.2.4.
AnalysisAI
SQL injection in AutomatorWP WordPress plugin through version 5.2.4 allows authenticated attackers to execute arbitrary SQL commands. The vulnerability exists in the plugin's database query handling where user-supplied input is not properly sanitized before being used in SQL statements. While EPSS scoring indicates low exploitation probability (0.04th percentile), the SQL injection vector represents a critical capability if exploited, potentially enabling data exfiltration, modification, or deletion from the affected WordPress database.
Technical ContextAI
AutomatorWP is a WordPress automation plugin that enables users to create complex automation workflows. The vulnerability stems from CWE-89 (SQL Injection), a classic input validation failure where user-controlled data reaches database query construction without proper parameterization or escaping. This typically occurs when the plugin builds dynamic SQL queries using string concatenation or inadequate prepared statement implementation. WordPress plugins are executed within the wp-content/plugins directory and interact directly with the wpdb database abstraction layer; improper use of this API (such as direct query concatenation instead of parameterized queries with $wpdb->prepare()) creates SQLi exposure. The affected plugin versions through 5.2.4 contain this flaw in their automation rule processing or trigger evaluation logic.
Affected ProductsAI
AutomatorWP WordPress plugin versions from an unspecified baseline through and including version 5.2.4 are affected. The plugin is distributed via WordPress.org plugin repository and installed in the wp-content/plugins/automatorwp directory. Vulnerability data from Patchstack indicates the flaw is present in all versions up to and including 5.2.4, though the starting version of vulnerability introduction is not explicitly documented.
RemediationAI
Site administrators running AutomatorWP should immediately update the plugin to version 5.2.5 or later, which contains the SQL injection fix. Update the plugin via the WordPress admin dashboard (Plugins > Updates) or via WordPress CLI using wp plugin update automatorwp. If a patched version is not yet available, temporarily disable the AutomatorWP plugin and review active automation rules for suspicious configurations. Site owners should also audit database access logs and user accounts with plugin management capabilities to detect prior unauthorized access. The vulnerability details and remediation guidance are available on the Patchstack vulnerability database at https://patchstack.com/database/Wordpress/Plugin/automatorwp/vulnerability/wordpress-automatorwp-plugin-5-2-4-sql-injection-vulnerability.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today