Skip to main content

AutomatorWP CVE-2026-40785

| EUVDEUVD-2026-36989 HIGH
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-06-15 Patchstack GHSA-47m7-6x3q-v8mc
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
vuln.today AI
7.1 HIGH

Network-reachable WordPress endpoint, low complexity, requires Subscriber authentication (PR:L), no UI; broken auth tampers automation (I:L) and can disrupt site (A:H) without leaking data (C:N).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 22:07 vuln.today

DescriptionCVE.org

Subscriber Broken Authentication in AutomatorWP <= 5.6.7 versions.

AnalysisAI

Broken authentication in the AutomatorWP WordPress plugin versions 5.6.7 and earlier allows authenticated users with low-level Subscriber privileges to bypass authorization controls, enabling integrity tampering and high availability impact on affected WordPress sites. The flaw is tracked via Patchstack and ENISA EUVD-2026-36989, with no public exploit identified at time of analysis. EPSS data was not provided, and the issue is not currently listed in CISA KEV.

Technical ContextAI

AutomatorWP is a no-code automation plugin for WordPress that connects plugins and triggers/actions across the site, developed by Ruben Garcia (CPE cpe:2.3:a:ruben_garcia:automatorwp). The root cause is CWE-288 (Authentication Bypass Using an Alternate Path or Channel), meaning a code path within the plugin fails to enforce the capability or role check that should restrict an action to administrators, leaving it reachable by any authenticated user including the default Subscriber role. In WordPress, Subscriber is the lowest privileged authenticated role and is commonly granted via open user registration, so capability checks (current_user_can) on AJAX or REST endpoints are the primary defense - when missing or misapplied, low-privileged users gain access to administrative functionality exposed by the plugin.

RemediationAI

Upstream fix available per Patchstack advisory; released patched version not independently confirmed from the provided data, so administrators should upgrade AutomatorWP to the latest version above 5.6.7 as published on the WordPress.org plugin repository and verified against the Patchstack entry at https://patchstack.com/database/wordpress/plugin/automatorwp/vulnerability/wordpress-automatorwp-plugin-5-6-7-broken-authentication-vulnerability. If immediate upgrade is not possible, disable the AutomatorWP plugin entirely (which will halt all configured automations and may break dependent workflows), or as a less disruptive compensating control temporarily disable open user registration via Settings → General → Membership to prevent attackers from self-provisioning a Subscriber account (this blocks legitimate new signups), and restrict access to /wp-admin/admin-ajax.php and AutomatorWP REST namespaces from untrusted networks at the WAF or reverse proxy layer (this may break front-end AJAX features for logged-in users).

Share

CVE-2026-40785 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy