Reflected Cross-Site Scripting Vulnerability in AutomatorWP Plugin for WordPress
CVE-2024-12626

9.6CRITICAL

Key Information:

Vendor: Wordpress
Status: AutomatorWP – The #1 Automator Plugin For No-code Automation In WordPress
Vendor: CVE Published:; 19 December 2024

What is CVE-2024-12626?

The AutomatorWP plugin, used for no-code automations and integrations in WordPress, is susceptible to a reflected cross-site scripting vulnerability due to inadequate input sanitization and output escaping in the 'a-0-o-search_field_value' parameter. This vulnerability affects all versions up to and including 5.0.9. Exploitation of this flaw may allow unauthenticated attackers to inject malicious scripts into webpages, which can be executed when unsuspecting users interact with affected pages. Furthermore, when combined with the plugin's import and code action features, the vulnerability increases the risk of arbitrary code execution on the server, posing a significant threat to system integrity.

Affected Version(s)

AutomatorWP – The #1 automator plugin for no-code automation in WordPress * <= 5.0.9

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3209794/auto...

CVSS V3.1

Score:

9.6

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 19, 2024
Vulnerability Reserved
Dec 13, 2024

Credit

Vincent Fourcade

Wordpress

What is CVE-2024-12626?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit