CVE-2025-9539 is a high-severity vulnerability affecting the AutomatorWP – Automator plugin for WordPress, which facilitates no-code automations, webhooks, and custom integrations. The vulnerability arises from improper access control in the function automatorwp_ajax_import_automation_from_url, which lacks a proper capability check. This flaw allows authenticated users with as low as Subscriber-level privileges to create arbitrary automation workflows. When an administrator activates such a malicious automation, it can lead to Remote Code Execution (RCE) or privilege escalation, effectively compromising the WordPress environment. The underlying weakness is classified as CWE-94, indicating improper control over code generation, which enables attackers to inject and execute arbitrary code. The CVSS v3.1 base score is 8.0, reflecting high impact on confidentiality, integrity, and availability, with network attack vector, low attack complexity, and requiring only low privileges and user interaction (administrator activation). No known exploits are currently reported in the wild, but the vulnerability is present in all versions up to and including 5.3.6. Given WordPress’s widespread use and the plugin’s role in automations and integrations, exploitation could allow attackers to pivot within the environment, escalate privileges, and execute arbitrary commands, potentially leading to full site compromise.

For European organizations relying on WordPress sites with the AutomatorWP plugin, this vulnerability poses a significant risk. Attackers with minimal privileges (Subscriber level) can leverage this flaw to execute arbitrary code, potentially leading to full site takeover, data breaches, defacement, or use of the compromised site as a foothold for further attacks within the network. This is particularly critical for organizations handling sensitive personal data under GDPR, as a breach could lead to regulatory penalties and reputational damage. The ability to escalate privileges and execute code remotely also threatens the integrity and availability of web services, which may disrupt business operations. Given the plugin’s no-code automation features, malicious automations could be crafted to manipulate workflows, exfiltrate data, or introduce persistent backdoors. European entities with public-facing WordPress sites, especially in sectors like e-commerce, education, government, and media, are at heightened risk due to the potential for targeted exploitation and the strategic value of such sites.

1. Immediate patching: Organizations should update the AutomatorWP plugin to a version where this vulnerability is fixed once available. Until then, consider disabling the plugin or restricting its usage. 2. Privilege minimization: Limit Subscriber-level accounts and review user roles to ensure only trusted users have access. 3. Monitor and audit: Implement logging and monitoring of automation creation and activation events to detect suspicious activities. 4. Harden administrator workflows: Require multi-factor authentication (MFA) for administrators who activate automations to reduce risk of compromised admin accounts enabling malicious automations. 5. Web application firewall (WAF): Deploy WAF rules to detect and block suspicious requests targeting the vulnerable function, especially those attempting to import automations from URLs. 6. Code review and testing: For organizations developing custom automations, enforce strict validation and sanitization of inputs to prevent code injection. 7. Incident response readiness: Prepare for potential exploitation by having backup and recovery procedures in place and conducting regular security assessments of WordPress environments.