AutomatorWP CVE-2025-9539: Brief Summary of Critical Unauthorized Automation Import Vulnerability in WordPress

Brief summary of CVE-2025-9539 affecting AutomatorWP for WordPress. This post covers technical details, affected versions, and vendor security history for this high-severity unauthorized automation import vulnerability. No PoC, patch, or detection methods are included.
CVE Analysis

9 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-09-08

AutomatorWP CVE-2025-9539: Brief Summary of Critical Unauthorized Automation Import Vulnerability in WordPress
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Attackers with even the lowest level of WordPress access can create malicious automations that execute with administrator privileges if left unchecked. For sites using AutomatorWP, this means a single subscriber account could potentially compromise the entire site through imported automations.

AutomatorWP is a popular WordPress plugin for no-code automations, integrating with over 200 plugins and services. It is widely used by site owners to automate workflows without custom code, making it a central part of many WordPress deployments.

Technical Information

CVE-2025-9539 is caused by a missing capability check in the automatorwp_ajax_import_automation_from_url AJAX handler. This function is responsible for importing automation workflows from external URLs. In all versions up to and including 5.3.6, the function does not verify that the requesting user has administrative privileges before processing the import. As a result, any authenticated user (including subscribers, which is the lowest built-in role in WordPress) can trigger this import process.

The root cause is the absence of a call like current_user_can('manage_options') or similar capability checks before handling the import. This allows low-privilege users to import arbitrary automations, which can be crafted to perform sensitive actions if later triggered by an administrator. Since AutomatorWP automations can interact with a wide range of plugins and core WordPress functionality, the impact can include privilege escalation, remote code execution, or persistent backdoors if a malicious automation is activated.

The vulnerable code is referenced at AutomatorWP import-automation.php#L386. The vulnerability is classified under CWE-94 (Code Injection), as malicious automations could lead to arbitrary code execution.

Affected Systems and Versions

  • AutomatorWP for WordPress
  • All versions up to and including 5.3.6
  • Any configuration where authenticated users (subscriber or higher) can access the site is vulnerable

Vendor Security History

AutomatorWP has experienced multiple security issues in the past:

  • CVE-2025-5487: SQL injection vulnerability
  • Security bypass in version 1.7.5
  • Administrator SQL injection in version 5.2.5 (Wordfence advisory)

These issues indicate recurring weaknesses in access control and input validation. While patches are released, the frequency of such vulnerabilities suggests deeper architectural concerns.

References

Detect & fix
what others miss