CVE-2025-9539
📋 TL;DR
This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to create arbitrary automations without proper authorization. Attackers can exploit this to achieve remote code execution or privilege escalation when administrators activate these malicious automations. All WordPress sites using AutomatorWP plugin versions up to 5.3.6 are affected.
💻 Affected Systems
- AutomatorWP – Automator plugin for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full site compromise through remote code execution leading to data theft, defacement, or complete administrative takeover.
Likely Case
Privilege escalation allowing attackers to gain administrative access and install backdoors or malware.
If Mitigated
Limited impact if proper user access controls and monitoring are in place to detect suspicious automation creation.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once an attacker has subscriber-level credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.3.7 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/automatorwp/tags/5.3.6/includes/admin/pages/import-automation.php#L386
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find AutomatorWP and click 'Update Now'. 4. Verify version is 5.3.7 or higher.
🔧 Temporary Workarounds
Disable vulnerable function via plugin filter
allAdd code to theme's functions.php to remove the vulnerable AJAX action
add_action('init', function() { remove_action('wp_ajax_automatorwp_import_automation_from_url', 'automatorwp_ajax_import_automation_from_url'); });
Restrict user capabilities
linuxTemporarily remove 'read' capability from all Subscriber-level users
wp user meta update [USER_ID] wp_capabilities 'a:1:{s:10:"subscriber";b:0;}'
🧯 If You Can't Patch
- Disable AutomatorWP plugin completely until patched
- Implement strict user access controls and monitor for unauthorized automation creation
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → AutomatorWP version. If version is 5.3.6 or lower, you are vulnerable.Check Version:
wp plugin list --name=automatorwp --field=versionVerify Fix Applied:
Verify AutomatorWP plugin version is 5.3.7 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with action=automatorwp_import_automation_from_url
- Automation creation logs from non-admin users
Network Indicators:
- HTTP POST requests to admin-ajax.php with automation import parameters
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND "automatorwp_import_automation_from_url"