Skip to main content

Automatorwp

5 CVEs product

Monthly

CVE-2026-42775 HIGH This Week

Reflected/stored Cross-Site Scripting in the WordPress plugin AutomatorWP versions 5.7.2 and earlier allows unauthenticated remote attackers to inject malicious script that executes in a victim's browser when they visit a crafted link or page. The CVSS 3.1 score of 7.1 reflects a scope change (S:C), meaning script execution affects components beyond the vulnerable one - typically authenticated WordPress administrators. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Automatorwp
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-42650 HIGH This Week

Unauthenticated stored/reflected cross-site scripting in the AutomatorWP WordPress plugin (versions <= 5.6.7) allows remote attackers to inject malicious JavaScript that executes in the context of victim browsers, including site administrators. No public exploit identified at time of analysis, but the CVSS scope-change rating (7.2 High) reflects the cross-origin impact typical of XSS where attacker-supplied script crosses a trust boundary into the WordPress admin session. Patchstack reported the issue and tracks it in their WordPress vulnerability database.

XSS Automatorwp
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-40785 HIGH This Week

Broken authentication in the AutomatorWP WordPress plugin versions 5.6.7 and earlier allows authenticated users with low-level Subscriber privileges to bypass authorization controls, enabling integrity tampering and high availability impact on affected WordPress sites. The flaw is tracked via Patchstack and ENISA EUVD-2026-36989, with no public exploit identified at time of analysis. EPSS data was not provided, and the issue is not currently listed in CISA KEV.

Information Disclosure Automatorwp
NVD
CVSS 3.1
7.1
EPSS
0.4%
CVE-2023-23992 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in AutomatorWP plugin <= 2.5.0 leads to object delete. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Automatorwp
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2021-24717 HIGH POC This Week

The AutomatorWP WordPress plugin before 1.7.6 does not perform capability checks which allows users with Subscriber roles to enumerate automations, disclose title of private posts or user emails,. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Privilege Escalation Authentication Bypass Automatorwp
NVD WPScan
CVSS 3.1
8.8
EPSS
1.3%
EPSS 0% CVSS 7.1
HIGH This Week

Reflected/stored Cross-Site Scripting in the WordPress plugin AutomatorWP versions 5.7.2 and earlier allows unauthenticated remote attackers to inject malicious script that executes in a victim's browser when they visit a crafted link or page. The CVSS 3.1 score of 7.1 reflects a scope change (S:C), meaning script execution affects components beyond the vulnerable one - typically authenticated WordPress administrators. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Automatorwp
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Unauthenticated stored/reflected cross-site scripting in the AutomatorWP WordPress plugin (versions <= 5.6.7) allows remote attackers to inject malicious JavaScript that executes in the context of victim browsers, including site administrators. No public exploit identified at time of analysis, but the CVSS scope-change rating (7.2 High) reflects the cross-origin impact typical of XSS where attacker-supplied script crosses a trust boundary into the WordPress admin session. Patchstack reported the issue and tracks it in their WordPress vulnerability database.

XSS Automatorwp
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Broken authentication in the AutomatorWP WordPress plugin versions 5.6.7 and earlier allows authenticated users with low-level Subscriber privileges to bypass authorization controls, enabling integrity tampering and high availability impact on affected WordPress sites. The flaw is tracked via Patchstack and ENISA EUVD-2026-36989, with no public exploit identified at time of analysis. EPSS data was not provided, and the issue is not currently listed in CISA KEV.

Information Disclosure Automatorwp
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in AutomatorWP plugin <= 2.5.0 leads to object delete. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Automatorwp
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

The AutomatorWP WordPress plugin before 1.7.6 does not perform capability checks which allows users with Subscriber roles to enumerate automations, disclose title of private posts or user emails,. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Privilege Escalation Authentication Bypass +1
NVD WPScan

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy