SQL Injection Vulnerability in AutomatorWP Plugin for WordPress
CVE-2025-5487

7.2HIGH

Key Information:

Vendor: WordPress
Status: AutomatorWP – Automator Plugin For No-code Automations, Webhooks & Custom Integrations In WordPress
Vendor: CVE Published:; 14 June 2025

What is CVE-2025-5487?

The AutomatorWP plugin for WordPress is susceptible to a time-based SQL injection vulnerability through the field_conditions parameter. This issue arises due to inadequate parameter escaping and a lack of proper query preparation, enabling authenticated attackers with Administrator-level access to inject additional SQL queries. Such exploits can lead to unauthorized access to sensitive database information, potentially compromising the integrity and confidentiality of the data.

Affected Version(s)

AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress * <= 5.2.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/automatorwp/ta...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 14, 2025
Vulnerability Reserved
Jun 2, 2025

Credit

Mokrane Abdelmalek