This vulnerability (CVE-2026-42650) affects AutomatorWP, a product by Ruben Garcia, specifically versions up to 5.6.7. It is an unauthenticated cross-site scripting (XSS) flaw, meaning attackers can inject malicious scripts into web pages generated by the application without needing to log in. The CVSS 3.1 base score is 7.2, reflecting a high severity with network attack vector, low attack complexity, no privileges required, no user interaction, and impacts on confidentiality and integrity with scope change. The vulnerability is publicly known and published but lacks an official remediation level or patch link. No known exploits in the wild have been reported.

Successful exploitation could allow remote attackers to execute arbitrary scripts in the context of the affected web application, potentially leading to data disclosure and integrity compromise. The vulnerability does not impact availability. Because it is unauthenticated and remotely exploitable, it poses a significant risk to affected systems.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, consider applying temporary mitigations such as input validation or output encoding if feasible. Monitor official Ruben Garcia or AutomatorWP channels for updates and patches.