[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$ffHko6lbcKTHMi7Co9p5c1yT4BYIqSu00dlLvxtdzJEQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-40785","automatorwp-automator-plugin-for-no-code-automations-webhooks-custom-integrations-in-wordpress-missing-authorization","AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress \u003C= 5.6.7 - Missing Authorization","The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 5.6.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.","automatorwp",null,"\u003C=5.6.7","5.6.8","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-04-23 00:00:00","2026-04-30 14:56:50",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fef8c41c6-3065-4650-81e9-bdba0e38f2bd?source=api-prod",8,[22,23,24,25,26,27,28,29],"automatorwp.php","integrations\u002Factivecampaign\u002Fincludes\u002Fajax-functions.php","integrations\u002Factivecampaign\u002Fincludes\u002Frest-api.php","integrations\u002Factivecampaign\u002Fincludes\u002Ftriggers\u002Fuser-added.php","integrations\u002Factivecampaign\u002Fincludes\u002Ftriggers\u002Fuser-tag-added.php","integrations\u002Faweber\u002Fincludes\u002Fajax-functions.php","integrations\u002Fbluesky\u002Fincludes\u002Fajax-functions.php","integrations\u002Fcampaign-monitor\u002Fincludes\u002Fajax-functions.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-40785 (AutomatorWP Missing Authorization)\n\n## 1. Vulnerability Summary\nThe **AutomatorWP** plugin (versions \u003C= 5.6.7) is vulnerable to **Missing Authorization**. Multiple AJAX handlers registered via `wp_ajax_*` hooks perform sensitive configuration updates but lack capability checks (e.g., `current_user_can()`). While these handlers verify a WordPress nonce (`automatorwp_admin`), this nonce is frequently exposed to all authenticated users (including Subscribers) within the WordPress admin dashboard (e.g., on `profile.php`). An authenticated attacker with Subscriber-level access can use this nonce to overwrite integration settings, such as API keys for ActiveCampaign, AWeber, Bluesky, or Campaign Monitor.\n\n## 2. Attack Vector Analysis\n- **Endpoints**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Actions**: \n    - `automatorwp_activecampaign_refresh`\n    - `automatorwp_aweber_authorize`\n    - `automatorwp_bluesky_authorize`\n    - `automatorwp_campaign_monitor_authorize`\n- **Parameters**: \n    - `nonce`: The `automatorwp_admin` nonce.\n    - `client_id`, `client_secret` (for AWeber).\n    - `url`, `key` (for ActiveCampaign).\n- **Authentication**: Subscriber-level account.\n- **Preconditions**: The plugin must be active. Some integrations (like AWeber or ActiveCampaign) may need to be enabled or their settings tab accessed once to initialize option structures, though the code typically handles `get_option` defaults.\n\n## 3. Code Flow\n1. **Entry Point**: A Subscriber sends a POST request to `admin-ajax.php` with `action=automatorwp_aweber_authorize`.\n2. **Hook**: The hook `add_action( 'wp_ajax_automatorwp_aweber_authorize', 'automatorwp_aweber_ajax_authorize' )` in `integrations\u002Faweber\u002Fincludes\u002Fajax-functions.php` triggers.\n3. **Nonce Check**: `check_ajax_referer( 'automatorwp_admin', 'nonce' )` is called. This validates the CSRF token.\n4. **Authorization Gap**: The function **immediately** proceeds to process inputs without calling `current_user_can( 'manage_options' )` or the plugin-specific `automatorwp_get_manager_capability()`.\n5. **Sink**: \n    - `update_option( 'automatorwp_settings', $settings )` is called.\n    - User-controlled `client_id` and `client_secret` are saved into the site's global configuration.\n\n## 4. Nonce Acquisition Strategy\nThe `automatorwp_admin` nonce is used across the plugin for administrative AJAX tasks. It is typically localized for the WordPress admin environment.\n\n1. **Target Page**: Any `wp-admin` page accessible to a Subscriber (e.g., `\u002Fwp-admin\u002Fprofile.php` or the dashboard `\u002Fwp-admin\u002Findex.php`).\n2. **Variable Identification**: Based on standard AutomatorWP patterns (found in `includes\u002Fscripts.php`, though not provided, inferred from the `check_ajax_referer` key), the nonce is likely localized under a global object.\n3. **Execution**:\n   - Use `browser_navigate` to go to `\u002Fwp-admin\u002Fprofile.php`.\n   - Use `browser_eval` to search for the nonce:\n     - `browser_eval(\"window.automatorwp_admin?.nonce\")` (inferred)\n     - OR search the raw HTML for `automatorwp_admin` strings: `browser_eval(\"document.documentElement.innerHTML.match(\u002F\\\"nonce\\\":\\\"([a-f0-9]{10})\\\"\u002F)[1]\")`\n\n## 5. Exploitation Strategy\nWe will target the `automatorwp_aweber_authorize` action to overwrite settings.\n\n### Step 1: Authentication\nLogin as a Subscriber user and maintain the session.\n\n### Step 2: Nonce Extraction\nNavigate to the WordPress dashboard and extract the `automatorwp_admin` nonce.\n\n### Step 3: Unauthorized Configuration Update\nSend the following request using the `http_request` tool:\n\n- **Method**: `POST`\n- **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body**:\n  ```\n  action=automatorwp_aweber_authorize&nonce=[EXTRACTED_NONCE]&client_id=PWNED_ID&client_secret=PWNED_SECRET\n  ```\n\n### Step 4: Verification\nConfirm that the `automatorwp_settings` option has been updated with the malicious values.\n\n## 6. Test Data Setup\n1. **Users**: Create a user with the `subscriber` role.\n2. **Plugin**: Ensure `automatorwp` is installed and activated.\n3. **Optional**: Navigate to `AutomatorWP -> Settings` as Admin once to ensure the `automatorwp_settings` option is initialized in the database.\n\n## 7. Expected Results\n- The AJAX response should be a JSON success message: `{\"success\":true,\"data\":{\"message\":\"Settings saved successfully, redirecting to AWeber...\",\"redirect_url\":\"...\"}}`.\n- The WordPress database will now contain `PWNED_ID` and `PWNED_SECRET` within the `automatorwp_settings` option.\n\n## 8. Verification Steps\nAfter the exploit, run the following WP-CLI command to check the database state:\n```bash\nwp option get automatorwp_settings --format=json\n```\nVerify that the keys `automatorwp_aweber_client_id` and `automatorwp_aweber_client_secret` contain the attacker-supplied values.\n\n## 9. Alternative Approaches\nIf AWeber is not the target, use the ActiveCampaign refresh endpoint, which is even simpler as it requires no specific payloads:\n- **Action**: `automatorwp_activecampaign_refresh`\n- **Body**: `action=automatorwp_activecampaign_refresh&nonce=[NONCE]`\n- **Effect**: Regenerates the ActiveCampaign webhook slug and updates settings, effectively breaking any existing ActiveCampaign webhook integration.","AutomatorWP \u003C= 5.6.7 fails to perform capability checks in several AJAX handlers used for configuring integrations like AWeber, ActiveCampaign, and Bluesky. This allows authenticated attackers with Subscriber-level permissions to overwrite sensitive plugin settings, including API keys and client secrets, by exploiting a nonce that is exposed to all logged-in users.","\u002F\u002F integrations\u002Factivecampaign\u002Fincludes\u002Fajax-functions.php\n\u002F**\n * Set the default URL value\n *\n * @since 1.0.0\n *\n * @return string\n *\u002F\nfunction automatorwp_activecampaign_ajax_refresh( ) {\n    \u002F\u002F Security check\n    check_ajax_referer( 'automatorwp_admin', 'nonce' );\n\n    $prefix = 'automatorwp_activecampaign_';\n\n---\n\n\u002F\u002F integrations\u002Faweber\u002Fincludes\u002Fajax-functions.php\n\u002F**\n * AJAX handler for the authorize action\n *\n * @since 1.0.0\n *\u002F\nfunction automatorwp_aweber_ajax_authorize() {\n    \u002F\u002F Security check\n    check_ajax_referer( 'automatorwp_admin', 'nonce' );\n\n    $prefix = 'automatorwp_aweber_';\n\n---\n\n\u002F\u002F integrations\u002Fbluesky\u002Fincludes\u002Fajax-functions.php\n\u002F**\n * AJAX handler for the authorize action\n *\n * @since 1.0.0\n *\u002F\nfunction automatorwp_bluesky_ajax_authorize() {\n    \u002F\u002F Security check\n    check_ajax_referer( 'automatorwp_admin', 'nonce' );\n\n    $prefix = 'automatorwp_bluesky_';","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fautomatorwp\u002F5.6.7\u002Fautomatorwp.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fautomatorwp\u002F5.6.8\u002Fautomatorwp.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fautomatorwp\u002F5.6.7\u002Fautomatorwp.php\t2026-03-27 11:52:40.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fautomatorwp\u002F5.6.8\u002Fautomatorwp.php\t2026-04-08 07:49:58.000000000 +0000\n@@ -3,7 +3,7 @@\n  * Plugin Name:     \tAutomatorWP\n  * Plugin URI:      \thttps:\u002F\u002Fautomatorwp.com\n  * Description:     \tConnect your WordPress plugins together and create automated workflows with no code!\n- * Version:         \t5.6.7\n+ * Version:         \t5.6.8\n  * Author:          \tAutomatorWP\n  * Author URI:      \thttps:\u002F\u002Fautomatorwp.com\u002F\n  * Text Domain:     \tautomatorwp\n@@ -119,7 +119,7 @@\n     private function constants() {\n \n         \u002F\u002F Plugin version\n-        define( 'AUTOMATORWP_VER', '5.6.7' );\n+        define( 'AUTOMATORWP_VER', '5.6.8' );\n \n         \u002F\u002F Plugin file\n         define( 'AUTOMATORWP_FILE', __FILE__ );\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fautomatorwp\u002F5.6.7\u002Fintegrations\u002Factivecampaign\u002Fincludes\u002Fajax-functions.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fautomatorwp\u002F5.6.8\u002Fintegrations\u002Factivecampaign\u002Fincludes\u002Fajax-functions.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fautomatorwp\u002F5.6.7\u002Fintegrations\u002Factivecampaign\u002Fincludes\u002Fajax-functions.php\t2026-03-27 11:52:40.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fautomatorwp\u002F5.6.8\u002Fintegrations\u002Factivecampaign\u002Fincludes\u002Fajax-functions.php\t2026-04-08 07:49:58.000000000 +0000\n@@ -57,7 +57,7 @@\n \n     \u002F\u002F Update settings\n     update_option( 'automatorwp_settings', $settings );\n-    $admin_url = str_replace( 'http:\u002F\u002F', 'http:\u002F\u002F', get_admin_url() )  . 'admin.php?page=automatorwp_settings&tab=opt-tab-activecampaign';\n+    $admin_url = admin_url( 'admin.php?page=automatorwp_settings&tab=opt-tab-activecampaign' );\n    \n     wp_send_json_success( array(\n         'message' => __( 'Correct data to connect with ActiveCampaign', 'automatorwp' ),\n@@ -79,6 +79,11 @@\n     \u002F\u002F Security check\n     check_ajax_referer( 'automatorwp_admin', 'nonce' );\n \n+    \u002F\u002F Permissions check\n+    if( ! current_user_can( automatorwp_get_manager_capability() ) ) {\n+        wp_send_json_error( __( 'You\\'re not allowed to perform this action.', 'automatorwp' ) );\n+    }\n+\n     $prefix = 'automatorwp_activecampaign_';\n \n     \u002F\u002F Get random characters for slug\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fautomatorwp\u002F5.6.7\u002Fintegrations\u002Faweber\u002Fincludes\u002Fajax-functions.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fautomatorwp\u002F5.6.8\u002Fintegrations\u002Faweber\u002Fincludes\u002Fajax-functions.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fautomatorwp\u002F5.6.7\u002Fintegrations\u002Faweber\u002Fincludes\u002Fajax-functions.php\t2026-03-27 11:52:40.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fautomatorwp\u002F5.6.8\u002Fintegrations\u002Faweber\u002Fincludes\u002Fajax-functions.php\t2026-04-08 07:49:58.000000000 +0000\n@@ -18,6 +18,11 @@\n     \u002F\u002F Security check\n     check_ajax_referer( 'automatorwp_admin', 'nonce' );\n \n+    \u002F\u002F Permissions check\n+    if( ! current_user_can( automatorwp_get_manager_capability() ) ) {\n+        wp_send_json_error( __( 'You\\'re not allowed to perform this action.', 'automatorwp' ) );\n+    }\n+\n     $prefix = 'automatorwp_aweber_';\n \n     $client_id = sanitize_text_field( $_POST['client_id'] );\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fautomatorwp\u002F5.6.7\u002Fintegrations\u002Fbluesky\u002Fincludes\u002Fajax-functions.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fautomatorwp\u002F5.6.8\u002Fintegrations\u002Fbluesky\u002Fincludes\u002Fajax-functions.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fautomatorwp\u002F5.6.7\u002Fintegrations\u002Fbluesky\u002Fincludes\u002Fajax-functions.php\t2026-03-27 11:52:40.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fautomatorwp\u002F5.6.8\u002Fintegrations\u002Fbluesky\u002Fincludes\u002Fajax-functions.php\t2026-04-08 07:49:58.000000000 +0000\n@@ -19,6 +19,11 @@\n     \u002F\u002F Security check\n     check_ajax_referer( 'automatorwp_admin', 'nonce' );\n \n+    \u002F\u002F Permissions check\n+    if( ! current_user_can( automatorwp_get_manager_capability() ) ) {\n+        wp_send_json_error( __( 'You\\'re not allowed to perform this action.', 'automatorwp' ) );\n+    }\n+\n     $prefix = 'automatorwp_bluesky_';\n \n     $user_handle = automatorwp_bluesky_validate_name_account( sanitize_text_field( $_POST[\"user_handle\"] ) );\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fautomatorwp\u002F5.6.7\u002Fintegrations\u002Fcampaign-monitor\u002Fincludes\u002Fajax-functions.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fautomatorwp\u002F5.6.8\u002Fintegrations\u002Fcampaign-monitor\u002Fincludes\u002Fajax-functions.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fautomatorwp\u002F5.6.7\u002Fintegrations\u002Fcampaign-monitor\u002Fincludes\u002Fajax-functions.php\t2026-03-27 11:52:40.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fautomatorwp\u002F5.6.8\u002Fintegrations\u002Fcampaign-monitor\u002Fincludes\u002Fajax-functions.php\t2026-04-08 07:49:58.000000000 +0000\n@@ -19,6 +19,11 @@\n     \u002F\u002F Security check\n     check_ajax_referer( 'automatorwp_admin', 'nonce' );\n \n+    \u002F\u002F Permissions check\n+    if( ! current_user_can( automatorwp_get_manager_capability() ) ) {\n+        wp_send_json_error( __( 'You\\'re not allowed to perform this action.', 'automatorwp' ) );\n+    }\n+\n     $prefix = 'automatorwp_campaign_monitor_';\n \n     $url = automatorwp_campaign_monitor_get_url();","The exploit targets missing capability checks in AutomatorWP's AJAX handlers. \n\n1. **Nonce Extraction**: An authenticated attacker (with Subscriber-level access) logs into the WordPress dashboard. Because the plugin localizes the 'automatorwp_admin' nonce for various admin UI elements, the attacker can extract this nonce from the page source or JavaScript global objects (e.g., searching for the `nonce` key within `automatorwp_admin`).\n2. **Unauthorized Request**: Using the extracted nonce, the attacker sends a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php`. \n3. **Payload Construction**: The attacker specifies a vulnerable action such as `automatorwp_aweber_authorize` or `automatorwp_activecampaign_refresh`. For authorization actions, the attacker includes malicious `client_id` or `client_secret` parameters.\n4. **Result**: The AJAX handler validates the nonce but fails to check if the user has administrative privileges. It then proceeds to update the site's global `automatorwp_settings` option with the attacker-supplied values, effectively hijacking or disrupting the site's automated integrations.","gemini-3-flash-preview","2026-05-04 18:47:15","2026-05-04 18:47:34",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","5.6.7","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fautomatorwp\u002Ftags\u002F5.6.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fautomatorwp.5.6.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fautomatorwp\u002Ftags\u002F5.6.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fautomatorwp.5.6.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fautomatorwp\u002Ftags"]