Introduction
Attackers with even the lowest level of WordPress access can create malicious automations that execute with administrator privileges if left unchecked. For sites using AutomatorWP, this means a single subscriber account could potentially compromise the entire site through imported automations.
AutomatorWP is a popular WordPress plugin for no-code automations, integrating with over 200 plugins and services. It is widely used by site owners to automate workflows without custom code, making it a central part of many WordPress deployments.
Technical Information
CVE-2025-9539 is caused by a missing capability check in the automatorwp_ajax_import_automation_from_url
AJAX handler. This function is responsible for importing automation workflows from external URLs. In all versions up to and including 5.3.6, the function does not verify that the requesting user has administrative privileges before processing the import. As a result, any authenticated user (including subscribers, which is the lowest built-in role in WordPress) can trigger this import process.
The root cause is the absence of a call like current_user_can('manage_options')
or similar capability checks before handling the import. This allows low-privilege users to import arbitrary automations, which can be crafted to perform sensitive actions if later triggered by an administrator. Since AutomatorWP automations can interact with a wide range of plugins and core WordPress functionality, the impact can include privilege escalation, remote code execution, or persistent backdoors if a malicious automation is activated.
The vulnerable code is referenced at AutomatorWP import-automation.php#L386. The vulnerability is classified under CWE-94 (Code Injection), as malicious automations could lead to arbitrary code execution.
Affected Systems and Versions
- AutomatorWP for WordPress
- All versions up to and including 5.3.6
- Any configuration where authenticated users (subscriber or higher) can access the site is vulnerable
Vendor Security History
AutomatorWP has experienced multiple security issues in the past:
- CVE-2025-5487: SQL injection vulnerability
- Security bypass in version 1.7.5
- Administrator SQL injection in version 5.2.5 (Wordfence advisory)
These issues indicate recurring weaknesses in access control and input validation. While patches are released, the frequency of such vulnerabilities suggests deeper architectural concerns.