Skip to main content

AutomatorWP CVE-2026-42775

| EUVDEUVD-2026-36839 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-15 Patchstack GHSA-96g7-fvc7-jq58
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Network-reachable WordPress plugin endpoint, no attacker auth, but victim interaction required; reflected XSS crosses scope into the admin browser context with low CIA impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 21:55 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in AutomatorWP <= 5.7.2 versions.

AnalysisAI

Reflected/stored Cross-Site Scripting in the WordPress plugin AutomatorWP versions 5.7.2 and earlier allows unauthenticated remote attackers to inject malicious script that executes in a victim's browser when they visit a crafted link or page. The CVSS 3.1 score of 7.1 reflects a scope change (S:C), meaning script execution affects components beyond the vulnerable one - typically authenticated WordPress administrators. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Technical ContextAI

AutomatorWP is a popular WordPress automation plugin (CPE cpe:2.3:a:ruben_garcia:automatorwp) by Ruben Garcia that connects WordPress plugins to trigger automated workflows. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), where user-supplied input is reflected or stored into HTML output without proper output encoding or input sanitization. Because the CVSS vector indicates PR:N and UI:R, an unauthenticated attacker likely crafts a malicious URL or input that, when rendered by an admin/user browser, executes attacker-controlled JavaScript in the WordPress site origin.

RemediationAI

Upstream fix available per Patchstack advisory; released patched version not independently confirmed from the provided data - administrators should upgrade AutomatorWP to the latest available release beyond 5.7.2 by consulting the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/automatorwp/vulnerability/wordpress-automatorwp-plugin-5-7-2-cross-site-scripting-xss-vulnerability and the official WordPress plugin repository. If immediate patching is not possible, compensating controls include deploying a WordPress-aware WAF rule (e.g., Patchstack, Wordfence) to filter XSS payloads on AutomatorWP request paths, temporarily deactivating the plugin (trade-off: breaks any automation workflows it provides), restricting admin access via IP allowlisting on /wp-admin, and enforcing a strict Content-Security-Policy that disallows inline script execution (trade-off: may break legitimate plugin or theme features and requires testing).

Share

CVE-2026-42775 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy