CVE-2025-9539 is a critical vulnerability affecting the AutomatorWP plugin for WordPress, which facilitates no-code automations, webhooks, and custom integrations. The root cause is a missing capability check in the automatorwp_ajax_import_automation_from_url function, which handles importing automations from URLs. This flaw allows any authenticated user with Subscriber-level access or above to create arbitrary automations without proper authorization. Since these automations can execute code when activated by an administrator, attackers can leverage this to perform remote code execution (RCE) or escalate privileges within the WordPress environment. The vulnerability is categorized as CWE-94, indicating improper control over code generation, which is a serious security risk. The CVSS v3.1 score is 8.0, reflecting high severity due to network exploitability, low attack complexity, and significant impacts on confidentiality, integrity, and availability. Exploitation requires user interaction (activation by an admin) but no initial elevated privileges beyond Subscriber. This vulnerability affects all versions up to 5.3.6 of the plugin. Although no public exploits are known yet, the potential for damage is substantial, especially in environments where multiple users have Subscriber or higher roles and administrators may activate automations without thorough review. The plugin is widely used in WordPress sites for automation tasks, increasing the attack surface. The lack of patch links suggests a fix may not yet be available, emphasizing the need for immediate mitigation steps.

The impact of CVE-2025-9539 is significant for organizations using the AutomatorWP plugin in WordPress environments. Attackers with minimal privileges (Subscriber-level) can create malicious automations that, once activated by an administrator, can execute arbitrary code on the server. This can lead to full system compromise, data theft, defacement, or further lateral movement within the network. The vulnerability threatens confidentiality by exposing sensitive data, integrity by allowing unauthorized code execution and data modification, and availability by potentially disrupting services through malicious payloads. Organizations with multiple users having Subscriber or higher roles are at increased risk, especially if administrators activate automations without strict validation. The exploitability over the network without complex attack vectors makes this vulnerability attractive to attackers. The absence of known exploits in the wild currently provides a window for proactive defense, but the risk of future exploitation is high. This vulnerability can also facilitate privilege escalation, enabling attackers to gain administrative control, further exacerbating the threat.

To mitigate CVE-2025-9539, organizations should immediately restrict Subscriber-level and other low-privilege user capabilities to prevent unauthorized creation of automations. Implement strict role-based access controls to limit who can create or import automations. Administrators should thoroughly review and validate any new or imported automations before activation, ideally in a sandboxed or staging environment. Monitoring and alerting should be enhanced to detect unusual automation creation or activation activities. Until a patch is released, consider disabling the AutomatorWP plugin or restricting its usage to trusted administrators only. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the vulnerable function. Regularly audit user roles and permissions to minimize the number of users with access to automation features. Stay updated with vendor advisories for patches or official fixes and apply them promptly once available. Additionally, conduct security awareness training for administrators to recognize the risks of activating unverified automations.