What the vulnerability does
01Description
The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on multiple plugin's functions in all versions up to, and including, 5.3.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify integration settings or view existing automations.
Explanation of Vulnerability in Simple Terms
02Summary
AutomatorWP versions up to 5.3.7 lack proper authorization checks on certain functions, allowing authenticated users with low privileges to read and modify data they should not access. An attacker with a basic WordPress account can view or alter sensitive automation settings and webhook configurations. Update to a version newer than 5.3.7 to resolve this issue.
What an attacker can do
03Attacker Capabilities
Read and modify automation settings and webhook data without proper authorization.
Potential impact on your site
04Site Impact
Unauthorized users can access and alter automations, webhooks, and integrations configured by administrators.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege WordPress user account (e.g., subscriber or contributor).
Key dates
06Disclosure timeline
September 9, 2025
CVE published
April 8, 2026
Record updated