How is CVE-2026-42775 exploited?

Network reachability (required): The vulnerable plugin endpoint is exposed over the network, meaning an attacker can send crafted requests to the target WordPress site from the internet without requiring local or physical access. Authentication (not-required): No account or credentials are needed to craft and deliver the malicious payload to the target site. Victim interaction (required): A victim (typically a logged-in administrator or privileged user) must interact with a crafted link or visit a manipulated page for the injected script to execute in their browser. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other unpredictable environmental factors.

What is the impact of CVE-2026-42775?

Reads session cookies or authentication tokens from the victim's browser, enabling account takeover of the interacting user. Modifies the visible content of the WordPress admin interface or front-end pages within the victim's active session. Performs actions on behalf of the victim user, such as changing settings or creating new accounts, by abusing their authenticated session. Causes limited disruption to the victim's browser session, degrading their ability to interact with the affected WordPress site.

Back to search

HIGHCVE-2026-42775Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-42775: WordPress AutomatorWP plugin <= 5.7.2 - Cross Site Scripting (XSS) vulnerability

Q: What is CVE-2026-42775?

A reflected or stored cross-site scripting (XSS) vulnerability affects the AutomatorWP WordPress plugin at version 5.7.2 and earlier. The vulnerability is reachable over the network and requires no authentication, but an authenticated victim (such as a site administrator) must interact with a crafted link or page for the attack to succeed. Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser, enabling session theft, page content modification, and limited disruption of the affected service. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

Q: Is CVE-2026-42775 patched?

Because no upstream fix version has been published for this CVE, HarborGuard re-evaluates the advisory on each ingest cycle and will make a patched-image rebuild available the moment a fix is released by the maintainer. In the interim, compensating-control recommendations are surfaced to customers running affected images.

Unauthenticated Cross Site Scripting (XSS) in AutomatorWP <= 5.7.2 versions.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A reflected or stored cross-site scripting (XSS) vulnerability affects the AutomatorWP WordPress plugin at version 5.7.2 and earlier. The vulnerability is reachable over the network and requires no authentication, but an authenticated victim (such as a site administrator) must interact with a crafted link or page for the attack to succeed. Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser, enabling session theft, page content modification, and limited disruption of the affected service. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-42775 is available across every HarborGuard environment. The CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against customer images, including custom-built WordPress images that bundle the AutomatorWP plugin.

Available

Triage

Triage is available using the CVSS v3.1 score of 7.1 (HIGH), weighted against each customer organization's compliance policy to determine urgency and routing. Findings are surfaced to the appropriate team inbox within each customer environment based on configured ownership rules.

Available

Patch

Because no upstream fix version has been published for this CVE, HarborGuard re-evaluates the advisory on each ingest cycle and will make a patched-image rebuild available the moment a fix is released by the maintainer. In the interim, compensating-control recommendations are surfaced to customers running affected images.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, meaning an attacker can send crafted requests to the target WordPress site from the internet without requiring local or physical access.
AuthenticationNot required
No account or credentials are needed to craft and deliver the malicious payload to the target site.
Victim interactionRequired
A victim (typically a logged-in administrator or privileged user) must interact with a crafted link or visit a manipulated page for the injected script to execute in their browser.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other unpredictable environmental factors.

Blast Radius

Reads session cookies or authentication tokens from the victim's browser, enabling account takeover of the interacting user.
Modifies the visible content of the WordPress admin interface or front-end pages within the victim's active session.
Performs actions on behalf of the victim user, such as changing settings or creating new accounts, by abusing their authenticated session.
Causes limited disruption to the victim's browser session, degrading their ability to interact with the affected WordPress site.

How HarborGuard Handles This

Available on HarborGuard: detection against all customer images containing the AutomatorWP plugin at version 5.7.2 or earlier is active as of ingestion. Because no upstream patch has been published, HarborGuard monitors the Patchstack advisory and the AutomatorWP release feed on every ingest cycle. The moment a fix version is released, a patched-image rebuild will become available, and customers with auto-remediation enabled will receive a rebuild, a regression-test run, and a PR opened against affected workloads automatically. Until a patch is available, recommended compensating controls include restricting access to WordPress admin surfaces via network policy (allowlisting known IP ranges), applying a web application firewall rule to block script injection patterns on plugin-specific endpoints, and auditing which container images include this plugin to reduce the exposed surface.

See how HarborGuard automates this

Affected packages

Ruben Garcia / AutomatorWP
≤ 5.7.2

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

References

patchstack.com

Metrics

Get notified