CVE-2021-24717
📋 TL;DR
The AutomatorWP WordPress plugin before version 1.7.6 lacks proper capability checks on AJAX endpoints, allowing authenticated users with Subscriber roles to enumerate automations, access private post titles and user emails, execute functions, and potentially escalate privileges. This affects all WordPress sites running vulnerable versions of the AutomatorWP plugin.
💻 Affected Systems
- AutomatorWP WordPress plugin
📦 What is this software?
Automatorwp by Automatorwp
⚠️ Risk & Real-World Impact
Worst Case
Subscriber-level attackers gain administrative privileges, take full control of the WordPress site, access sensitive data, and potentially compromise the entire web server.
Likely Case
Unauthorized users access private content, harvest user email addresses, and manipulate automations to disrupt site functionality.
If Mitigated
With proper access controls and monitoring, impact is limited to unauthorized data viewing without privilege escalation.
🎯 Exploit Status
Exploitation requires authenticated Subscriber access. Public proof-of-concept demonstrates enumeration and data disclosure.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.6
Vendor Advisory: https://wpscan.com/vulnerability/5916ea42-eb33-463d-8528-2a142805c91f
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find AutomatorWP and update to version 1.7.6 or later. 4. Verify update completes successfully.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoints
allRemove or restrict access to vulnerable AJAX actions via .htaccess or web server configuration
# Add to .htaccess or server config to block automatorwp_ajax requests
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/wp-admin/admin-ajax\.php$
RewriteCond %{QUERY_STRING} action=automatorwp_ [NC]
RewriteRule ^ - [F,L]
Temporarily disable plugin
linuxDeactivate AutomatorWP plugin until patched
wp plugin deactivate automatorwp
🧯 If You Can't Patch
- Restrict Subscriber role creation and monitor existing Subscriber accounts for suspicious activity
- Implement web application firewall rules to block suspicious AJAX requests targeting automatorwp endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for AutomatorWP version. If version is below 1.7.6, system is vulnerable.Check Version:
wp plugin list --name=automatorwp --field=versionVerify Fix Applied:
Confirm AutomatorWP version is 1.7.6 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Multiple admin-ajax.php requests with action=automatorwp_ from Subscriber-level users
- Unusual user role changes from Subscriber to higher privileges
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with automatorwp_ actions from non-admin users
SIEM Query:
source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND query="*action=automatorwp_*" AND user_role="subscriber"