CVE-2026-42775

Vulnerability

The AutomatorWP plugin for WordPress versions up to and including 5.7.2 contains an unauthenticated stored cross-site scripting (XSS) vulnerability. The flaw resides in insufficient input sanitization and output escaping, allowing injection of arbitrary HTML and JavaScript. No special user role or authentication is required to trigger the vulnerable code path.

Exploitation

An unauthenticated attacker can inject a malicious payload (e.g., JavaScript) through a crafted request. Successful exploitation requires a privileged user—such as an administrator or editor—to subsequently interact with a page that renders the injected payload, for example by clicking a link, visiting a crafted page, or submitting a form. The attacker does not need any prior access or authentication.

Impact

Upon successful execution, the attacker's script runs in the context of the victim's session. This can be used to steal session cookies, perform actions on behalf of the victim, redirect visitors to malicious sites, or inject unauthorized advertisements and other HTML content. The impact is heightened because no authentication is needed to inject the payload, and the plugin is widely deployed.

Mitigation

The vulnerability is fixed in version 5.7.3. Users should update to this version or later immediately. If updating is not possible, Patchstack has issued a mitigation rule that blocks attacks until a patch is applied. Auto-updates can be enabled for vulnerable plugins via Patchstack [1]. No other workarounds have been published at this time.