CVE-2025-9539 - AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress <= 5.3.6 - Missing Authorization To Authenticated (Subscriber+) Remote Code Execution via Automation Creation
CVE ID : CVE-2025-9539
Published : Sept. 9, 2025, 7:15 a.m. | 59 minutes ago
Description : The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the automatorwp_ajax_import_automation_from_url function in all versions up to, and including, 5.3.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary automations, which can lead to Remote Code Execution or Privilege escalation once such automation is activated by the administrator
Severity: 8.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
Published : Sept. 9, 2025, 7:15 a.m. | 59 minutes ago
Description : The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the automatorwp_ajax_import_automation_from_url function in all versions up to, and including, 5.3.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary automations, which can lead to Remote Code Execution or Privilege escalation once such automation is activated by the administrator
Severity: 8.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...