Unauthorized Data Access Vulnerability in AutomatorWP Plugin for WordPress
CVE-2025-9542

5.4MEDIUM

Key Information:

Vendor: WordPress
Status: AutomatorWP – Automator Plugin For No-code Automations, Webhooks & Custom Integrations In WordPress
Vendor: CVE Published:; 9 September 2025

What is CVE-2025-9542?

The AutomatorWP plugin, designed for no-code automations and integrations within WordPress, contains a security flaw that allows authenticated users with Subscriber-level access and higher to manipulate integration settings and view automations. This vulnerability arises from a lack of appropriate capability checks in several functions of the plugin. As a result, unauthorized modifications to user data or settings can occur, posing a significant risk to the integrity of automated processes and workflows.

Affected Version(s)

AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress * <= 5.3.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3355175/

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 9, 2025
Vulnerability Reserved
Aug 27, 2025

Credit

Matthew Rollings