CVE-2026-40785: WordPress AutomatorWP plugin <= 5.6.7 - Broken Authentication vulnerability
Subscriber Broken Authentication in AutomatorWP <= 5.6.7 versions.
Metrics
- CVSS v3.1
- 7.1
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is a broken authentication vulnerability in the AutomatorWP WordPress plugin at version 5.6.7 and earlier. A remote attacker with only a low-privilege account (such as a WordPress subscriber) can reach the affected endpoint over the network without any victim interaction. Successful exploitation allows the attacker to corrupt or deny access to the affected service and make limited unauthorized modifications to application data. HarborGuard is tracking the advisory and will make a patched-image rebuild available as soon as the upstream fix is published.
HarborGuard Coverage
Detection is available across every HarborGuard environment. The CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built WordPress images that bundle the AutomatorWP plugin, in both registry scans and CI pipeline checks.
AvailableHarborGuard is capable of scoring this finding at CVSS 7.1 (HIGH) and weighting it further against each environment's compliance policy. Routed alerts can be directed to the appropriate team inbox within the customer organization based on configured ownership rules.
AvailableBecause no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. In the meantime, customers can review compensating controls through the HarborGuard advisory detail panel.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP or HTTPS.
- AuthenticationRequired
A low-privilege account such as a WordPress subscriber role is sufficient; no administrative credentials are needed.
- Victim interactionNot required
The attacker does not need to trick or involve any other user to trigger the vulnerability.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, special memory layouts, or other unpredictable environmental factors.
Blast Radius
- Crashes or makes the affected WordPress service unavailable, disrupting all users of the site (CVSS Availability: HIGH).
- Makes limited unauthorized writes or modifications to application data, such as altering automation records managed by the plugin (CVSS Integrity: LOW).
- No confidential data is directly readable through this vulnerability alone (CVSS Confidentiality: NONE).
- Impact is contained to the vulnerable application instance and does not propagate to other systems on the host (Scope: Unchanged).
How HarborGuard Handles This
Available on HarborGuard: because no upstream fix exists for CVE-2026-40785 at this time, the platform monitors the Patchstack advisory feed on every ingest cycle and will surface a patched-image rebuild the moment a fix version is published. Customers with auto-remediation enabled will receive the rebuilt image, a regression-test run, and a PR opened against affected workloads without manual intervention. While waiting for an upstream patch, compensating controls worth considering include restricting subscriber-role registration if it is not required, applying network-policy rules to limit external access to the WordPress admin surface, and using a web application firewall rule to block requests matching the vulnerable endpoint pattern. HarborGuard will continue to flag any image that bundles AutomatorWP at or below version 5.6.7 until a fixed version is confirmed in the upstream advisory.
- Ruben Garcia / AutomatorWP≤ 5.6.7
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H