How is CVE-2026-42650 exploited?

Network reachability (required): The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP or HTTPS. Authentication (not-required): No account or session credentials are needed; the attacker can trigger the vulnerability as an unauthenticated visitor. Victim interaction (not-required): The CVSS vector specifies UI:N, meaning exploitation does not depend on a logged-in user clicking a link or taking any other action. Attack complexity (info): Attack complexity is Low (AC:L), meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other variable environmental factors.

What is the impact of CVE-2026-42650?

An attacker can inject scripts that read session cookies or authentication tokens from browsers of users visiting affected pages. Injected scripts can perform actions within the WordPress admin or front-end on behalf of authenticated users, such as modifying content or settings. The scope is marked Changed (S:C) in the CVSS vector, meaning impact can extend beyond the vulnerable plugin itself to the broader browser session and other resources on the origin.

Back to search

HIGHCVE-2026-42650Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-42650: WordPress AutomatorWP plugin <= 5.6.7 - Cross Site Scripting (XSS) vulnerability

Q: What is CVE-2026-42650?

This is a reflected or stored cross-site scripting (XSS) vulnerability in the AutomatorWP WordPress plugin at version 5.6.7 and earlier. The flaw is reachable over the network with no authentication required and no victim interaction needed, based on the CVSS vector. Successful exploitation allows an attacker to inject malicious scripts into pages served to users, enabling session hijacking, credential theft, or unauthorized actions performed in the context of affected users. No fix version has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

Q: Is CVE-2026-42650 patched?

Because no upstream fix version has been published for this CVE, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be initiated without manual intervention once a fix version becomes available.

Unauthenticated Cross Site Scripting (XSS) in AutomatorWP <= 5.6.7 versions.

CVSS v3.1: 7.2
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a reflected or stored cross-site scripting (XSS) vulnerability in the AutomatorWP WordPress plugin at version 5.6.7 and earlier. The flaw is reachable over the network with no authentication required and no victim interaction needed, based on the CVSS vector. Successful exploitation allows an attacker to inject malicious scripts into pages served to users, enabling session hijacking, credential theft, or unauthorized actions performed in the context of affected users. No fix version has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection for CVE-2026-42650 is available across every HarborGuard environment, with the CVE ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built WordPress images that bundle the AutomatorWP plugin. Any image in a connected registry or CI pipeline carrying AutomatorWP at or below version 5.6.7 is flagged automatically.

Available

Triage

Triage is available using the CVSS 3.1 score of 7.2 (High severity), weighted against each customer organization's per-environment compliance policy to determine urgency and ownership. Findings are routed to the appropriate team inbox within each customer org based on configured policy rules.

Available

Patch

Because no upstream fix version has been published for this CVE, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be initiated without manual intervention once a fix version becomes available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP or HTTPS.
AuthenticationNot required
No account or session credentials are needed; the attacker can trigger the vulnerability as an unauthenticated visitor.
Victim interactionNot required
The CVSS vector specifies UI:N, meaning exploitation does not depend on a logged-in user clicking a link or taking any other action.
Attack complexityDetail
Attack complexity is Low (AC:L), meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other variable environmental factors.

Blast Radius

An attacker can inject scripts that read session cookies or authentication tokens from browsers of users visiting affected pages.
Injected scripts can perform actions within the WordPress admin or front-end on behalf of authenticated users, such as modifying content or settings.
The scope is marked Changed (S:C) in the CVSS vector, meaning impact can extend beyond the vulnerable plugin itself to the broader browser session and other resources on the origin.

How HarborGuard Handles This

Available on HarborGuard: detection for this vulnerability is active against all images containing AutomatorWP at or below version 5.6.7, with no configuration required. Because no upstream fix has been published, the immediate recommendation is to apply compensating controls at the container and network layer: restrict public access to WordPress endpoints that invoke AutomatorWP functionality via network policy, consider feature-flag or configuration-level disabling of affected AutomatorWP triggers if the plugin supports it, and apply egress filtering to limit the potential reach of any injected script callbacks. HarborGuard monitors the Patchstack advisory on every ingest cycle; when an upstream patch is published, a patched-image rebuild will become available immediately, and customers with auto-remediation enabled will receive a rebuild, regression test run, and a PR opened against affected workloads without any manual steps required.

See how HarborGuard automates this

Affected packages

Ruben Garcia / AutomatorWP
≤ 5.6.7

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

References

patchstack.com

Metrics

Get notified