Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Network-reachable WordPress endpoint, low complexity, requires Subscriber authentication (PR:L), no UI; broken auth tampers automation (I:L) and can disrupt site (A:H) without leaking data (C:N).
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Lifecycle Timeline
1DescriptionCVE.org
Subscriber Broken Authentication in AutomatorWP <= 5.6.7 versions.
AnalysisAI
Broken authentication in the AutomatorWP WordPress plugin versions 5.6.7 and earlier allows authenticated users with low-level Subscriber privileges to bypass authorization controls, enabling integrity tampering and high availability impact on affected WordPress sites. The flaw is tracked via Patchstack and ENISA EUVD-2026-36989, with no public exploit identified at time of analysis. EPSS data was not provided, and the issue is not currently listed in CISA KEV.
Technical ContextAI
AutomatorWP is a no-code automation plugin for WordPress that connects plugins and triggers/actions across the site, developed by Ruben Garcia (CPE cpe:2.3:a:ruben_garcia:automatorwp). The root cause is CWE-288 (Authentication Bypass Using an Alternate Path or Channel), meaning a code path within the plugin fails to enforce the capability or role check that should restrict an action to administrators, leaving it reachable by any authenticated user including the default Subscriber role. In WordPress, Subscriber is the lowest privileged authenticated role and is commonly granted via open user registration, so capability checks (current_user_can) on AJAX or REST endpoints are the primary defense - when missing or misapplied, low-privileged users gain access to administrative functionality exposed by the plugin.
RemediationAI
Upstream fix available per Patchstack advisory; released patched version not independently confirmed from the provided data, so administrators should upgrade AutomatorWP to the latest version above 5.6.7 as published on the WordPress.org plugin repository and verified against the Patchstack entry at https://patchstack.com/database/wordpress/plugin/automatorwp/vulnerability/wordpress-automatorwp-plugin-5-6-7-broken-authentication-vulnerability. If immediate upgrade is not possible, disable the AutomatorWP plugin entirely (which will halt all configured automations and may break dependent workflows), or as a less disruptive compensating control temporarily disable open user registration via Settings → General → Membership to prevent attackers from self-provisioning a Subscriber account (this blocks legitimate new signups), and restrict access to /wp-admin/admin-ajax.php and AutomatorWP REST namespaces from untrusted networks at the WAF or reverse proxy layer (this may break front-end AJAX features for logged-in users).
More in Automatorwp
View allThe AutomatorWP WordPress plugin before 1.7.6 does not perform capability checks which allows users with Subscriber role
Unauthenticated stored/reflected cross-site scripting in the AutomatorWP WordPress plugin (versions <= 5.6.7) allows rem
Reflected/stored Cross-Site Scripting in the WordPress plugin AutomatorWP versions 5.7.2 and earlier allows unauthentica
Cross-Site Request Forgery (CSRF) vulnerability in AutomatorWP plugin <= 2.5.0 leads to object delete. Rated medium seve
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36989
GHSA-47m7-6x3q-v8mc