Skip to main content

AutomatorWP CVE-2026-42650

| EUVDEUVD-2026-36818 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-15 Patchstack GHSA-rr8f-pgwf-255h
7.2
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
6.1 MEDIUM

Network-reachable unauthenticated injection (AV:N/PR:N), but realizing admin impact requires a victim to view the rendered payload (UI:R); scope changes into the admin session (S:C) with limited C/I impact and no availability effect.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 22:01 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in AutomatorWP <= 5.6.7 versions.

AnalysisAI

Unauthenticated stored/reflected cross-site scripting in the AutomatorWP WordPress plugin (versions <= 5.6.7) allows remote attackers to inject malicious JavaScript that executes in the context of victim browsers, including site administrators. No public exploit identified at time of analysis, but the CVSS scope-change rating (7.2 High) reflects the cross-origin impact typical of XSS where attacker-supplied script crosses a trust boundary into the WordPress admin session. Patchstack reported the issue and tracks it in their WordPress vulnerability database.

Technical ContextAI

AutomatorWP is a WordPress automation plugin (vendor: Ruben Garcia, CPE cpe:2.3:a:ruben_garcia:automatorwp) that connects triggers and actions across WordPress plugins, similar to Zapier-style workflows. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-supplied input is rendered into HTML output without proper escaping or sanitization. Because the CVSS vector specifies PR:N and S:C (scope changed), the injection point is reachable without authentication and the executed script operates in a security context beyond the vulnerable component - typically the WordPress administrator's browser session, where it can perform privileged actions via the admin AJAX/REST APIs.

RemediationAI

Upstream fix available per Patchstack advisory; released patched version not independently confirmed in the provided data - administrators should upgrade AutomatorWP to the latest release available on the WordPress plugin repository (any version after 5.6.7) and consult the Patchstack entry at https://patchstack.com/database/wordpress/plugin/automatorwp/vulnerability/wordpress-automatorwp-plugin-5-6-7-cross-site-scripting-xss-vulnerability for the exact fixed version. If immediate patching is not possible, deactivate the AutomatorWP plugin (which will break any active automation workflows), or place a WAF rule such as Patchstack/Wordfence in front of the site to filter XSS payloads targeting AutomatorWP endpoints (this may produce false positives on legitimate automation rule definitions). Additionally, audit existing AutomatorWP configurations and post content for already-injected scripts, and rotate admin session cookies after patching.

Share

CVE-2026-42650 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy