WordPress Plugin Vulnerabilities

AutomatorWP < 5.3.8 - Authenticated (Subscriber+) Missing Authorization to Multiple Functions

Description

The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on multiple plugin's functions in all versions up to, and including, 5.3.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify integration settings or view existing automations.

Affects Plugins

Plugin icon
automatorwp
Fixed in 5.3.8

References

CVE
CVE-2025-9542
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/62ed278c-f914-4edd-aba1-4aaa099a869f

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
stealthcopter
Verified
No
WPVDB ID
2ab3b7c8-9956-4851-ba62-5f08484fe2b8

Timeline

Publicly Published
2025-09-08 (about 8 months ago)
Added
2025-09-08 (about 8 months ago)
Last Updated
2025-09-09 (about 8 months ago)

Other

Published
Title
Published
2024-07-12
Title
WP Links Page < 4.9.6 - Missing Authorization to Authenticated (Subscriber+) Limited Image Update
Published
2022-11-28
Title
Directorist < 7.4.4 - Subscriber+ Sensitive Information Disclosure
Published
2023-12-06
Title
Redirects <= 1.2.1 - Missing Authorization
Published
2024-04-05
Title
Bricksforge < 2.1.1 - Missing Authorization to Unauthenticated WordPress Settings Update
Published
2024-06-03
Title
Admin Notices Manager < 1.5.0 - Missing Authorization to Authenticated (Subscriber+) User Email Retrieval