CVE-2025-9539 Overview
CVE-2025-9539 affects the AutomatorWP WordPress plugin, a no-code automation tool supporting webhooks and custom integrations. The vulnerability exists in the automatorwp_ajax_import_automation_from_url function, which lacks a capability check in all versions up to and including 5.3.6. Authenticated users with Subscriber-level access or higher can import arbitrary automations from a remote URL. When an administrator subsequently activates the imported automation, the attacker achieves Remote Code Execution (RCE) or privilege escalation. The flaw is categorized under [CWE-94] Improper Control of Generation of Code.
Critical Impact
Low-privileged WordPress users can plant malicious automations that execute code or escalate privileges once an administrator triggers them.
Affected Products
- AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations for WordPress
- All versions up to and including 5.3.6
- WordPress sites with Subscriber-level registration enabled are at elevated risk
Discovery Timeline
- 2025-09-09 - CVE-2025-9539 published to the National Vulnerability Database (NVD)
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-9539
Vulnerability Analysis
The AutomatorWP plugin exposes an AJAX action that imports automation configurations from a user-supplied URL. The handler automatorwp_ajax_import_automation_from_url does not verify the caller's WordPress capabilities before processing the import request. Any authenticated user, including Subscriber accounts created through open registration, can invoke the endpoint and stage arbitrary automation definitions inside the site. Because automations in AutomatorWP can trigger webhooks, run custom integrations, and execute privileged actions, a planted automation becomes a code execution primitive once an administrator activates it.
Root Cause
The root cause is a missing authorization check inside the AJAX handler defined in includes/admin/pages/import-automation.php. The function relies on the action being available only to administrators, but no current_user_can() check or nonce-bound capability validation is performed. This violates the WordPress principle that privileged AJAX actions must explicitly assert capabilities, leading directly to the [CWE-94] code generation flaw.
Attack Vector
An attacker registers or compromises any Subscriber-level account on the target WordPress site. The attacker sends a crafted AJAX request to the vulnerable endpoint, pointing the url parameter to an attacker-controlled JSON file containing a malicious automation definition. The plugin fetches and imports the automation into the database. When an administrator browses the automations panel and activates or runs the malicious automation, the embedded webhook, code snippet, or integration trigger executes in the WordPress process context, yielding RCE or administrator-level privilege escalation. Refer to the WordPress plugin source for the vulnerable handler and the Wordfence Vulnerability Report for additional technical context.
Detection Methods for CVE-2025-9539
Indicators of Compromise
- POST requests to admin-ajax.php with action=automatorwp_ajax_import_automation_from_url originating from non-administrator sessions
- Outbound HTTP fetches from the WordPress server to unfamiliar domains immediately preceding new automation entries
- Unexpected rows in AutomatorWP automation tables created or owned by Subscriber-level user IDs
- New WordPress administrator accounts or modified user roles correlating with automation activation events
Detection Strategies
- Review web server access logs for admin-ajax.php calls referencing the automatorwp_ajax_import_automation_from_url action and filter by authenticated low-privilege session cookies
- Audit the AutomatorWP automations list for entries with unknown titles, suspicious webhook URLs, or code-execution actions
- Correlate plugin database writes with the WordPress user metadata table to identify automations created by non-admin accounts
Monitoring Recommendations
- Alert on PHP processes spawning shell interpreters or writing to the wp-content/uploads directory after AutomatorWP activity
- Monitor for privilege changes in wp_usermeta for the wp_capabilities key following automation execution
- Track outbound connections initiated by wp-cron.php or AutomatorWP action handlers to non-allowlisted destinations
How to Mitigate CVE-2025-9539
Immediate Actions Required
- Update the AutomatorWP plugin to a version newer than 5.3.6 as soon as the vendor publishes a patched release
- Disable the AutomatorWP plugin on sites that allow open user registration until the update is applied
- Audit existing automations and remove any entries that cannot be attributed to a legitimate administrator
- Rotate administrator credentials and review user roles for unauthorized escalations
Patch Information
The vulnerability affects all versions of AutomatorWP up to and including 5.3.6. Site owners should monitor the official AutomatorWP plugin page and the Wordfence advisory for the fixed release that introduces a capability check on the automatorwp_ajax_import_automation_from_url AJAX action.
Workarounds
- Restrict access to admin-ajax.php requests carrying the automatorwp_ajax_import_automation_from_url action using a web application firewall (WAF) rule
- Disable new user registration in WordPress settings, or limit registration to trusted email domains
- Apply the principle of least privilege by removing unused Subscriber accounts and enforcing strong authentication for all roles
# Example WAF rule (ModSecurity) to block the vulnerable AJAX action
SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" \
"chain,phase:2,deny,status:403,id:1009539,\
msg:'Block AutomatorWP CVE-2025-9539 import-from-url action'"
SecRule ARGS:action "@streq automatorwp_ajax_import_automation_from_url"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

