CVE-2026-40785

Vulnerability

The AutomatorWP plugin for WordPress versions up to and including 5.6.7 suffers from a broken authentication vulnerability. Specifically, authenticated users with Subscriber role can bypass authorization checks to perform actions that should be restricted to higher-privileged users. This affects any site running the vulnerable plugin version. [1]

Exploitation

An attacker with a valid Subscriber account on the target WordPress site can exploit this flaw. No additional privileges or special network position is required beyond being logged in as a Subscriber. The exact steps are not publicly detailed, but the vulnerability allows the attacker to execute actions normally reserved for administrators, such as modifying site settings or creating new admin users. [1]

Impact

Successful exploitation leads to privilege escalation from Subscriber to Administrator. The attacker gains full administrative control over the WordPress site, enabling complete compromise including data manipulation, code execution, and further attacks on visitors. The impact is considered highly dangerous and is expected to be used in mass-exploit campaigns. [1]

Mitigation

The vulnerability is fixed in version 5.6.8 of the AutomatorWP plugin. Users should update immediately. If unable to update, Patchstack offers a mitigation rule that blocks attacks until the update is applied. No other workarounds are provided. [1]