Skip to main content
CVE Vulnerability Database

CVE-2025-9539: AutomatorWP Auth Bypass Vulnerability

CVE-2025-9539 is an authentication bypass flaw in the AutomatorWP WordPress plugin that allows low-privilege attackers to create malicious automations, potentially leading to remote code execution or privilege escalation.

Published:

CVE-2025-9539 Overview

CVE-2025-9539 affects the AutomatorWP WordPress plugin, a no-code automation tool supporting webhooks and custom integrations. The vulnerability exists in the automatorwp_ajax_import_automation_from_url function, which lacks a capability check in all versions up to and including 5.3.6. Authenticated users with Subscriber-level access or higher can import arbitrary automations from a remote URL. When an administrator subsequently activates the imported automation, the attacker achieves Remote Code Execution (RCE) or privilege escalation. The flaw is categorized under [CWE-94] Improper Control of Generation of Code.

Critical Impact

Low-privileged WordPress users can plant malicious automations that execute code or escalate privileges once an administrator triggers them.

Affected Products

  • AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations for WordPress
  • All versions up to and including 5.3.6
  • WordPress sites with Subscriber-level registration enabled are at elevated risk

Discovery Timeline

  • 2025-09-09 - CVE-2025-9539 published to the National Vulnerability Database (NVD)
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-9539

Vulnerability Analysis

The AutomatorWP plugin exposes an AJAX action that imports automation configurations from a user-supplied URL. The handler automatorwp_ajax_import_automation_from_url does not verify the caller's WordPress capabilities before processing the import request. Any authenticated user, including Subscriber accounts created through open registration, can invoke the endpoint and stage arbitrary automation definitions inside the site. Because automations in AutomatorWP can trigger webhooks, run custom integrations, and execute privileged actions, a planted automation becomes a code execution primitive once an administrator activates it.

Root Cause

The root cause is a missing authorization check inside the AJAX handler defined in includes/admin/pages/import-automation.php. The function relies on the action being available only to administrators, but no current_user_can() check or nonce-bound capability validation is performed. This violates the WordPress principle that privileged AJAX actions must explicitly assert capabilities, leading directly to the [CWE-94] code generation flaw.

Attack Vector

An attacker registers or compromises any Subscriber-level account on the target WordPress site. The attacker sends a crafted AJAX request to the vulnerable endpoint, pointing the url parameter to an attacker-controlled JSON file containing a malicious automation definition. The plugin fetches and imports the automation into the database. When an administrator browses the automations panel and activates or runs the malicious automation, the embedded webhook, code snippet, or integration trigger executes in the WordPress process context, yielding RCE or administrator-level privilege escalation. Refer to the WordPress plugin source for the vulnerable handler and the Wordfence Vulnerability Report for additional technical context.

Detection Methods for CVE-2025-9539

Indicators of Compromise

  • POST requests to admin-ajax.php with action=automatorwp_ajax_import_automation_from_url originating from non-administrator sessions
  • Outbound HTTP fetches from the WordPress server to unfamiliar domains immediately preceding new automation entries
  • Unexpected rows in AutomatorWP automation tables created or owned by Subscriber-level user IDs
  • New WordPress administrator accounts or modified user roles correlating with automation activation events

Detection Strategies

  • Review web server access logs for admin-ajax.php calls referencing the automatorwp_ajax_import_automation_from_url action and filter by authenticated low-privilege session cookies
  • Audit the AutomatorWP automations list for entries with unknown titles, suspicious webhook URLs, or code-execution actions
  • Correlate plugin database writes with the WordPress user metadata table to identify automations created by non-admin accounts

Monitoring Recommendations

  • Alert on PHP processes spawning shell interpreters or writing to the wp-content/uploads directory after AutomatorWP activity
  • Monitor for privilege changes in wp_usermeta for the wp_capabilities key following automation execution
  • Track outbound connections initiated by wp-cron.php or AutomatorWP action handlers to non-allowlisted destinations

How to Mitigate CVE-2025-9539

Immediate Actions Required

  • Update the AutomatorWP plugin to a version newer than 5.3.6 as soon as the vendor publishes a patched release
  • Disable the AutomatorWP plugin on sites that allow open user registration until the update is applied
  • Audit existing automations and remove any entries that cannot be attributed to a legitimate administrator
  • Rotate administrator credentials and review user roles for unauthorized escalations

Patch Information

The vulnerability affects all versions of AutomatorWP up to and including 5.3.6. Site owners should monitor the official AutomatorWP plugin page and the Wordfence advisory for the fixed release that introduces a capability check on the automatorwp_ajax_import_automation_from_url AJAX action.

Workarounds

  • Restrict access to admin-ajax.php requests carrying the automatorwp_ajax_import_automation_from_url action using a web application firewall (WAF) rule
  • Disable new user registration in WordPress settings, or limit registration to trusted email domains
  • Apply the principle of least privilege by removing unused Subscriber accounts and enforcing strong authentication for all roles
bash
# Example WAF rule (ModSecurity) to block the vulnerable AJAX action
SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" \
    "chain,phase:2,deny,status:403,id:1009539,\
    msg:'Block AutomatorWP CVE-2025-9539 import-from-url action'"
    SecRule ARGS:action "@streq automatorwp_ajax_import_automation_from_url"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.