Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Network-reachable unauthenticated injection (AV:N/PR:N), but realizing admin impact requires a victim to view the rendered payload (UI:R); scope changes into the admin session (S:C) with limited C/I impact and no availability effect.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in AutomatorWP <= 5.6.7 versions.
AnalysisAI
Unauthenticated stored/reflected cross-site scripting in the AutomatorWP WordPress plugin (versions <= 5.6.7) allows remote attackers to inject malicious JavaScript that executes in the context of victim browsers, including site administrators. No public exploit identified at time of analysis, but the CVSS scope-change rating (7.2 High) reflects the cross-origin impact typical of XSS where attacker-supplied script crosses a trust boundary into the WordPress admin session. Patchstack reported the issue and tracks it in their WordPress vulnerability database.
Technical ContextAI
AutomatorWP is a WordPress automation plugin (vendor: Ruben Garcia, CPE cpe:2.3:a:ruben_garcia:automatorwp) that connects triggers and actions across WordPress plugins, similar to Zapier-style workflows. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-supplied input is rendered into HTML output without proper escaping or sanitization. Because the CVSS vector specifies PR:N and S:C (scope changed), the injection point is reachable without authentication and the executed script operates in a security context beyond the vulnerable component - typically the WordPress administrator's browser session, where it can perform privileged actions via the admin AJAX/REST APIs.
RemediationAI
Upstream fix available per Patchstack advisory; released patched version not independently confirmed in the provided data - administrators should upgrade AutomatorWP to the latest release available on the WordPress plugin repository (any version after 5.6.7) and consult the Patchstack entry at https://patchstack.com/database/wordpress/plugin/automatorwp/vulnerability/wordpress-automatorwp-plugin-5-6-7-cross-site-scripting-xss-vulnerability for the exact fixed version. If immediate patching is not possible, deactivate the AutomatorWP plugin (which will break any active automation workflows), or place a WAF rule such as Patchstack/Wordfence in front of the site to filter XSS payloads targeting AutomatorWP endpoints (this may produce false positives on legitimate automation rule definitions). Additionally, audit existing AutomatorWP configurations and post content for already-injected scripts, and rotate admin session cookies after patching.
More in Automatorwp
View allThe AutomatorWP WordPress plugin before 1.7.6 does not perform capability checks which allows users with Subscriber role
Reflected/stored Cross-Site Scripting in the WordPress plugin AutomatorWP versions 5.7.2 and earlier allows unauthentica
Broken authentication in the AutomatorWP WordPress plugin versions 5.6.7 and earlier allows authenticated users with low
Cross-Site Request Forgery (CSRF) vulnerability in AutomatorWP plugin <= 2.5.0 leads to object delete. Rated medium seve
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36818
GHSA-rr8f-pgwf-255h