WP-Safety
CVE-2026-40785

AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress <= 5.6.7 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
5.6.8
Patched in
8d
Time to patch

Description

The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 5.6.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=5.6.7
PublishedApril 23, 2026
Last updatedApril 30, 2026
Affected pluginautomatorwp

What Changed in the Fix

Changes introduced in v5.6.8

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v5.6.7
Browse source Download .zip
Patched v5.6.8
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-40785 (AutomatorWP Missing Authorization) ## 1. Vulnerability Summary The **AutomatorWP** plugin (versions <= 5.6.7) is vulnerable to **Missing Authorization**. Multiple AJAX handlers registered via `wp_ajax_*` hooks perform sensitive configuration updates but…

Show full research plan

Exploitation Research Plan: CVE-2026-40785 (AutomatorWP Missing Authorization)

1. Vulnerability Summary

The AutomatorWP plugin (versions <= 5.6.7) is vulnerable to Missing Authorization. Multiple AJAX handlers registered via wp_ajax_* hooks perform sensitive configuration updates but lack capability checks (e.g., current_user_can()). While these handlers verify a WordPress nonce (automatorwp_admin), this nonce is frequently exposed to all authenticated users (including Subscribers) within the WordPress admin dashboard (e.g., on profile.php). An authenticated attacker with Subscriber-level access can use this nonce to overwrite integration settings, such as API keys for ActiveCampaign, AWeber, Bluesky, or Campaign Monitor.

2. Attack Vector Analysis

  • Endpoints: /wp-admin/admin-ajax.php
  • Actions:
    • automatorwp_activecampaign_refresh
    • automatorwp_aweber_authorize
    • automatorwp_bluesky_authorize
    • automatorwp_campaign_monitor_authorize
  • Parameters:
    • nonce: The automatorwp_admin nonce.
    • client_id, client_secret (for AWeber).
    • url, key (for ActiveCampaign).
  • Authentication: Subscriber-level account.
  • Preconditions: The plugin must be active. Some integrations (like AWeber or ActiveCampaign) may need to be enabled or their settings tab accessed once to initialize option structures, though the code typically handles get_option defaults.

3. Code Flow

  1. Entry Point: A Subscriber sends a POST request to admin-ajax.php with action=automatorwp_aweber_authorize.
  2. Hook: The hook add_action( 'wp_ajax_automatorwp_aweber_authorize', 'automatorwp_aweber_ajax_authorize' ) in integrations/aweber/includes/ajax-functions.php triggers.
  3. Nonce Check: check_ajax_referer( 'automatorwp_admin', 'nonce' ) is called. This validates the CSRF token.
  4. Authorization Gap: The function immediately proceeds to process inputs without calling current_user_can( 'manage_options' ) or the plugin-specific automatorwp_get_manager_capability().
  5. Sink:
    • update_option( 'automatorwp_settings', $settings ) is called.
    • User-controlled client_id and client_secret are saved into the site's global configuration.

4. Nonce Acquisition Strategy

The automatorwp_admin nonce is used across the plugin for administrative AJAX tasks. It is typically localized for the WordPress admin environment.

  1. Target Page: Any wp-admin page accessible to a Subscriber (e.g., /wp-admin/profile.php or the dashboard /wp-admin/index.php).
  2. Variable Identification: Based on standard AutomatorWP patterns (found in includes/scripts.php, though not provided, inferred from the check_ajax_referer key), the nonce is likely localized under a global object.
  3. Execution:
    • Use browser_navigate to go to /wp-admin/profile.php.
    • Use browser_eval to search for the nonce:
      • browser_eval("window.automatorwp_admin?.nonce") (inferred)
      • OR search the raw HTML for automatorwp_admin strings: browser_eval("document.documentElement.innerHTML.match(/\"nonce\":\"([a-f0-9]{10})\"/)[1]")

5. Exploitation Strategy

We will target the automatorwp_aweber_authorize action to overwrite settings.

Step 1: Authentication

Login as a Subscriber user and maintain the session.

Step 2: Nonce Extraction

Navigate to the WordPress dashboard and extract the automatorwp_admin nonce.

Step 3: Unauthorized Configuration Update

Send the following request using the http_request tool:

  • Method: POST
  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
    action=automatorwp_aweber_authorize&nonce=[EXTRACTED_NONCE]&client_id=PWNED_ID&client_secret=PWNED_SECRET

Step 4: Verification

Confirm that the automatorwp_settings option has been updated with the malicious values.

6. Test Data Setup

  1. Users: Create a user with the subscriber role.
  2. Plugin: Ensure automatorwp is installed and activated.
  3. Optional: Navigate to AutomatorWP -> Settings as Admin once to ensure the automatorwp_settings option is initialized in the database.

7. Expected Results

  • The AJAX response should be a JSON success message: {"success":true,"data":{"message":"Settings saved successfully, redirecting to AWeber...","redirect_url":"..."}}.
  • The WordPress database will now contain PWNED_ID and PWNED_SECRET within the automatorwp_settings option.

8. Verification Steps

After the exploit, run the following WP-CLI command to check the database state:

wp option get automatorwp_settings --format=json

Verify that the keys automatorwp_aweber_client_id and automatorwp_aweber_client_secret contain the attacker-supplied values.

9. Alternative Approaches

If AWeber is not the target, use the ActiveCampaign refresh endpoint, which is even simpler as it requires no specific payloads:

  • Action: automatorwp_activecampaign_refresh
  • Body: action=automatorwp_activecampaign_refresh&nonce=[NONCE]
  • Effect: Regenerates the ActiveCampaign webhook slug and updates settings, effectively breaking any existing ActiveCampaign webhook integration.
Research Findings
Static analysis — not yet PoC-verified

Summary

AutomatorWP <= 5.6.7 fails to perform capability checks in several AJAX handlers used for configuring integrations like AWeber, ActiveCampaign, and Bluesky. This allows authenticated attackers with Subscriber-level permissions to overwrite sensitive plugin settings, including API keys and client secrets, by exploiting a nonce that is exposed to all logged-in users.

Vulnerable Code

// integrations/activecampaign/includes/ajax-functions.php
/**
 * Set the default URL value
 *
 * @since 1.0.0
 *
 * @return string
 */
function automatorwp_activecampaign_ajax_refresh( ) {
    // Security check
    check_ajax_referer( 'automatorwp_admin', 'nonce' );

    $prefix = 'automatorwp_activecampaign_';

---

// integrations/aweber/includes/ajax-functions.php
/**
 * AJAX handler for the authorize action
 *
 * @since 1.0.0
 */
function automatorwp_aweber_ajax_authorize() {
    // Security check
    check_ajax_referer( 'automatorwp_admin', 'nonce' );

    $prefix = 'automatorwp_aweber_';

---

// integrations/bluesky/includes/ajax-functions.php
/**
 * AJAX handler for the authorize action
 *
 * @since 1.0.0
 */
function automatorwp_bluesky_ajax_authorize() {
    // Security check
    check_ajax_referer( 'automatorwp_admin', 'nonce' );

    $prefix = 'automatorwp_bluesky_';

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/automatorwp/5.6.7/automatorwp.php /home/deploy/wp-safety.org/data/plugin-versions/automatorwp/5.6.8/automatorwp.php
--- /home/deploy/wp-safety.org/data/plugin-versions/automatorwp/5.6.7/automatorwp.php	2026-03-27 11:52:40.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/automatorwp/5.6.8/automatorwp.php	2026-04-08 07:49:58.000000000 +0000
@@ -3,7 +3,7 @@
  * Plugin Name:     	AutomatorWP
  * Plugin URI:      	https://automatorwp.com
  * Description:     	Connect your WordPress plugins together and create automated workflows with no code!
- * Version:         	5.6.7
+ * Version:         	5.6.8
  * Author:          	AutomatorWP
  * Author URI:      	https://automatorwp.com/
  * Text Domain:     	automatorwp
@@ -119,7 +119,7 @@
     private function constants() {
 
         // Plugin version
-        define( 'AUTOMATORWP_VER', '5.6.7' );
+        define( 'AUTOMATORWP_VER', '5.6.8' );
 
         // Plugin file
         define( 'AUTOMATORWP_FILE', __FILE__ );
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/automatorwp/5.6.7/integrations/activecampaign/includes/ajax-functions.php /home/deploy/wp-safety.org/data/plugin-versions/automatorwp/5.6.8/integrations/activecampaign/includes/ajax-functions.php
--- /home/deploy/wp-safety.org/data/plugin-versions/automatorwp/5.6.7/integrations/activecampaign/includes/ajax-functions.php	2026-03-27 11:52:40.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/automatorwp/5.6.8/integrations/activecampaign/includes/ajax-functions.php	2026-04-08 07:49:58.000000000 +0000
@@ -57,7 +57,7 @@
 
     // Update settings
     update_option( 'automatorwp_settings', $settings );
-    $admin_url = str_replace( 'http://', 'http://', get_admin_url() )  . 'admin.php?page=automatorwp_settings&tab=opt-tab-activecampaign';
+    $admin_url = admin_url( 'admin.php?page=automatorwp_settings&tab=opt-tab-activecampaign' );
    
     wp_send_json_success( array(
         'message' => __( 'Correct data to connect with ActiveCampaign', 'automatorwp' ),
@@ -79,6 +79,11 @@
     // Security check
     check_ajax_referer( 'automatorwp_admin', 'nonce' );
 
+    // Permissions check
+    if( ! current_user_can( automatorwp_get_manager_capability() ) ) {
+        wp_send_json_error( __( 'You\'re not allowed to perform this action.', 'automatorwp' ) );
+    }
+
     $prefix = 'automatorwp_activecampaign_';
 
     // Get random characters for slug
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/automatorwp/5.6.7/integrations/aweber/includes/ajax-functions.php /home/deploy/wp-safety.org/data/plugin-versions/automatorwp/5.6.8/integrations/aweber/includes/ajax-functions.php
--- /home/deploy/wp-safety.org/data/plugin-versions/automatorwp/5.6.7/integrations/aweber/includes/ajax-functions.php	2026-03-27 11:52:40.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/automatorwp/5.6.8/integrations/aweber/includes/ajax-functions.php	2026-04-08 07:49:58.000000000 +0000
@@ -18,6 +18,11 @@
     // Security check
     check_ajax_referer( 'automatorwp_admin', 'nonce' );
 
+    // Permissions check
+    if( ! current_user_can( automatorwp_get_manager_capability() ) ) {
+        wp_send_json_error( __( 'You\'re not allowed to perform this action.', 'automatorwp' ) );
+    }
+
     $prefix = 'automatorwp_aweber_';
 
     $client_id = sanitize_text_field( $_POST['client_id'] );
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/automatorwp/5.6.7/integrations/bluesky/includes/ajax-functions.php /home/deploy/wp-safety.org/data/plugin-versions/automatorwp/5.6.8/integrations/bluesky/includes/ajax-functions.php
--- /home/deploy/wp-safety.org/data/plugin-versions/automatorwp/5.6.7/integrations/bluesky/includes/ajax-functions.php	2026-03-27 11:52:40.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/automatorwp/5.6.8/integrations/bluesky/includes/ajax-functions.php	2026-04-08 07:49:58.000000000 +0000
@@ -19,6 +19,11 @@
     // Security check
     check_ajax_referer( 'automatorwp_admin', 'nonce' );
 
+    // Permissions check
+    if( ! current_user_can( automatorwp_get_manager_capability() ) ) {
+        wp_send_json_error( __( 'You\'re not allowed to perform this action.', 'automatorwp' ) );
+    }
+
     $prefix = 'automatorwp_bluesky_';
 
     $user_handle = automatorwp_bluesky_validate_name_account( sanitize_text_field( $_POST["user_handle"] ) );
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/automatorwp/5.6.7/integrations/campaign-monitor/includes/ajax-functions.php /home/deploy/wp-safety.org/data/plugin-versions/automatorwp/5.6.8/integrations/campaign-monitor/includes/ajax-functions.php
--- /home/deploy/wp-safety.org/data/plugin-versions/automatorwp/5.6.7/integrations/campaign-monitor/includes/ajax-functions.php	2026-03-27 11:52:40.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/automatorwp/5.6.8/integrations/campaign-monitor/includes/ajax-functions.php	2026-04-08 07:49:58.000000000 +0000
@@ -19,6 +19,11 @@
     // Security check
     check_ajax_referer( 'automatorwp_admin', 'nonce' );
 
+    // Permissions check
+    if( ! current_user_can( automatorwp_get_manager_capability() ) ) {
+        wp_send_json_error( __( 'You\'re not allowed to perform this action.', 'automatorwp' ) );
+    }
+
     $prefix = 'automatorwp_campaign_monitor_';
 
     $url = automatorwp_campaign_monitor_get_url();

Exploit Outline

The exploit targets missing capability checks in AutomatorWP's AJAX handlers. 1. **Nonce Extraction**: An authenticated attacker (with Subscriber-level access) logs into the WordPress dashboard. Because the plugin localizes the 'automatorwp_admin' nonce for various admin UI elements, the attacker can extract this nonce from the page source or JavaScript global objects (e.g., searching for the `nonce` key within `automatorwp_admin`). 2. **Unauthorized Request**: Using the extracted nonce, the attacker sends a POST request to `/wp-admin/admin-ajax.php`. 3. **Payload Construction**: The attacker specifies a vulnerable action such as `automatorwp_aweber_authorize` or `automatorwp_activecampaign_refresh`. For authorization actions, the attacker includes malicious `client_id` or `client_secret` parameters. 4. **Result**: The AJAX handler validates the nonce but fails to check if the user has administrative privileges. It then proceeds to update the site's global `automatorwp_settings` option with the attacker-supplied values, effectively hijacking or disrupting the site's automated integrations.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/ef8c41c6-3065-4650-81e9-bdba0e38f2bd?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database