cleantalk
Vulnerabilities and Security Researches

AutomatorWP – The #1 automator plugin for no-code automation in WordPress, CVE-2025-9539

CVE, Research URL

CVE-2025-9539

Home page URL

Security reports for AutomatorWP – The #1 automator plugin for no-code automation in WordPress

Application

AutomatorWP – The #1 automator plugin for no-code automation in WordPress

Published on
Sep 09, 2025
Research Description
The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the automatorwp_ajax_import_automation_from_url function in all versions up to, and including, 5.3.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary automations, which can lead to Remote Code Execution or Privilege escalation once such automation is activated by the administrator
Affected versions
max 5.3.7.
Status
vulnerable
Previous vulnerability researches
Livemesh SiteOrigin Widgets (CVE-2025-8780) , Apr 23, 2026
Livemesh SiteOrigin Widgets (0dc46a2ee5ef036dfed29524d3f3f1875466101d) , Jun 07, 2024
Livemesh SiteOrigin Widgets (CVE-2022-4974) , Nov 14, 2024
New vulnerability
Sendmachine for WordPress (CVE-2026-6235) , Apr 24, 2026
Emailchef (CVE-2026-1930) , Apr 24, 2026
All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier (CVE-2025-6833) , Apr 24, 2026
WP Responsive Popup + Optin (CVE-2026-4131) , Apr 24, 2026
Portfolio Gallery, Product Catalog – Grid KIT Portfolio (CVE-2025-5092) , Apr 24, 2026