{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9539", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-27T12:25:37.390Z", "datePublished": "2025-09-09T06:40:36.082Z", "dateUpdated": "2026-04-08T17:11:51.505Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:11:51.505Z"}, "affected": [{"vendor": "rubengc", "product": "AutomatorWP \u2013 Automator plugin for no-code automations, webhooks & custom integrations in WordPress", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.3.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The AutomatorWP \u2013 Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the automatorwp_ajax_import_automation_from_url function in all versions up to, and including, 5.3.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary automations, which can lead to Remote Code Execution or Privilege escalation once such automation is activated by the administrator"}], "title": "AutomatorWP \u2013 Automator plugin for no-code automations, webhooks & custom integrations in WordPress <= 5.3.6 - Missing Authorization To Authenticated (Subscriber+) Remote Code Execution via Automation Creation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9efa04ca-68c8-4221-a3d9-cf75010d2266?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/automatorwp/tags/5.3.6/includes/admin/pages/import-automation.php#L386"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "cweId": "CWE-94", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Matthew Rollings"}], "timeline": [{"time": "2025-08-18T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-09-08T17:53:28.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-09T19:26:44.824026Z", "id": "CVE-2025-9539", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-09T19:27:02.969Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9539", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-09-09T19:26:44.824026Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-09T19:26:53.134Z"}}], "cna": {"title": "AutomatorWP \u2013 Automator plugin for no-code automations, webhooks & custom integrations in WordPress <= 5.3.6 - Missing Authorization To Authenticated (Subscriber+) Remote Code Execution via Automation Creation", "credits": [{"lang": "en", "type": "finder", "value": "Matthew Rollings"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "rubengc", "product": "AutomatorWP \u2013 Automator plugin for no-code automations, webhooks & custom integrations in WordPress", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.3.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-18T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-09-08T17:53:28.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9efa04ca-68c8-4221-a3d9-cf75010d2266?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/automatorwp/tags/5.3.6/includes/admin/pages/import-automation.php#L386"}], "descriptions": [{"lang": "en", "value": "The AutomatorWP \u2013 Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the automatorwp_ajax_import_automation_from_url function in all versions up to, and including, 5.3.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary automations, which can lead to Remote Code Execution or Privilege escalation once such automation is activated by the administrator"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:11:51.505Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9539", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:11:51.505Z", "dateReserved": "2025-08-27T12:25:37.390Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-09T06:40:36.082Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The AutomatorWP \u2013 Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the automatorwp_ajax_import_automation_from_url function in all versions up to, and including, 5.3.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary automations, which can lead to Remote Code Execution or Privilege escalation once such automation is activated by the administrator"}], "id": "CVE-2025-9539", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-09T07:15:33.313", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/automatorwp/tags/5.3.6/includes/admin/pages/import-automation.php#L386"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9efa04ca-68c8-4221-a3d9-cf75010d2266?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T03:10:23.289120+00:00", "value": {"mitigation_remediation": ["Update the AutomatorWP plugin to the latest available version that removes the missing capability check.", "If an update is not immediately possible, revoke or re\u2011grant the capability that allows importing automations to all Subscriber levels so that only administrators can create them.", "Configure audit logging and monitor the admin/automations pages for unexpected automation creation activities by users with Subscriber or lower roles."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "WordPress sites running the AutomatorWP \u2013 Automator plugin version 5.3.6 or earlier are affected. The plugin is provided by rubengc. All prior releases to and including 5.3.6 lack the necessary authorization check.", "description_and_impact": "The AutomatorWP plugin contains a missing capability check on the automatorwp_ajax_import_automation_from_url function, allowing any authenticated user with Subscriber access or higher to create arbitrary automations. Those automations can contain malicious code that is executed when an administrator activates them, leading to remote code execution and potential privilege escalation. The attack grants control over the WordPress site, compromising confidentiality, integrity, and availability.", "risk_and_exploitability": "The CVSS score of 8 indicates high severity, but the EPSS score of less than 1% suggests a low to moderate likelihood of exploitation in the wild at the time of analysis. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is an authenticated attacker who can log into the site as a Subscriber or higher; by calling the protected endpoint they can craft a malicious automation, which is then executed when an administrator activates it."}}}}, "created": "2025-09-09T21:31:36.945631+00:00", "updated": "2026-04-21T03:15:16.335257+00:00", "vendors": ["automatorwp", "automatorwp$PRODUCT$automatorwp", "wordpress", "wordpress$PRODUCT$wordpress"]}