CVE-2026-42650

Vulnerability

AutomatorWP versions up to and including 5.6.7 are vulnerable to an unauthenticated Cross Site Scripting (XSS) flaw. The vulnerability exists due to insufficient input sanitization, allowing injection of arbitrary HTML and JavaScript when a visitor loads a page containing the crafted payload. No authentication is required to trigger the vulnerability.

Exploitation

An attacker can exploit this vulnerability by injecting a malicious script (e.g., via a crafted URL or parameter) that, when visited by any user, executes in the context of the victim's browser. The attacker does not need any special privileges or network position other than the ability to deliver the payload to a WordPress site running the vulnerable plugin.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the browser of any visitor. This can lead to redirects, display of fraudulent advertisements, theft of session cookies, or other actions that compromise the integrity and confidentiality of the victim's interaction with the site.

Mitigation

Update the AutomatorWP plugin to version 5.6.8 or later, which contains the fix. A mitigation rule is also available via Patchstack to block attacks until the patch is applied [1]. No workaround other than updating or using the mitigation rule is mentioned in the available references.