Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Network-reachable WordPress plugin endpoint, no attacker auth, but victim interaction required; reflected XSS crosses scope into the admin browser context with low CIA impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in AutomatorWP <= 5.7.2 versions.
AnalysisAI
Reflected/stored Cross-Site Scripting in the WordPress plugin AutomatorWP versions 5.7.2 and earlier allows unauthenticated remote attackers to inject malicious script that executes in a victim's browser when they visit a crafted link or page. The CVSS 3.1 score of 7.1 reflects a scope change (S:C), meaning script execution affects components beyond the vulnerable one - typically authenticated WordPress administrators. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Technical ContextAI
AutomatorWP is a popular WordPress automation plugin (CPE cpe:2.3:a:ruben_garcia:automatorwp) by Ruben Garcia that connects WordPress plugins to trigger automated workflows. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), where user-supplied input is reflected or stored into HTML output without proper output encoding or input sanitization. Because the CVSS vector indicates PR:N and UI:R, an unauthenticated attacker likely crafts a malicious URL or input that, when rendered by an admin/user browser, executes attacker-controlled JavaScript in the WordPress site origin.
RemediationAI
Upstream fix available per Patchstack advisory; released patched version not independently confirmed from the provided data - administrators should upgrade AutomatorWP to the latest available release beyond 5.7.2 by consulting the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/automatorwp/vulnerability/wordpress-automatorwp-plugin-5-7-2-cross-site-scripting-xss-vulnerability and the official WordPress plugin repository. If immediate patching is not possible, compensating controls include deploying a WordPress-aware WAF rule (e.g., Patchstack, Wordfence) to filter XSS payloads on AutomatorWP request paths, temporarily deactivating the plugin (trade-off: breaks any automation workflows it provides), restricting admin access via IP allowlisting on /wp-admin, and enforcing a strict Content-Security-Policy that disallows inline script execution (trade-off: may break legitimate plugin or theme features and requires testing).
More in Automatorwp
View allThe AutomatorWP WordPress plugin before 1.7.6 does not perform capability checks which allows users with Subscriber role
Unauthenticated stored/reflected cross-site scripting in the AutomatorWP WordPress plugin (versions <= 5.6.7) allows rem
Broken authentication in the AutomatorWP WordPress plugin versions 5.6.7 and earlier allows authenticated users with low
Cross-Site Request Forgery (CSRF) vulnerability in AutomatorWP plugin <= 2.5.0 leads to object delete. Rated medium seve
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36839
GHSA-96g7-fvc7-jq58