CVE-2025-5487 in AutomatorWP Plugin
Summary
by MITRE • 06/14/2025
The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the field_conditions parameter in all versions up to, and including, 5.2.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Administrators can configure the plugin to allow access to this functionality to authors and higher.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/14/2025
The AutomatorWP plugin for WordPress presents a critical time-based sql injection vulnerability identified as CVE-2025-5487 affecting versions through 5.2.3. This vulnerability resides within the plugin's handling of the field_conditions parameter, which processes user-supplied input without adequate sanitization or escaping mechanisms. The flaw demonstrates poor input validation practices that align with common weakness enumerations categorized under CWE-89 sql injection, specifically manifesting as a time-based variant that can be exploited through timing attacks. The vulnerability occurs because the plugin fails to properly prepare or escape user input before incorporating it into existing sql queries, creating an exploitable condition where malicious payloads can be injected into the database layer.
Attackers with administrator-level privileges or higher can leverage this vulnerability to execute arbitrary sql commands against the WordPress database through the plugin's automation configuration interface. The time-based nature of this injection means that attackers can infer database contents by measuring response times, making the exploitation process more stealthy and difficult to detect through standard monitoring systems. This vulnerability is particularly concerning because it allows for data exfiltration without requiring external network access or complex exploitation techniques, as the attacker already possesses administrative credentials. The plugin's design permits administrators to grant access to this functionality to authors and higher user roles, potentially expanding the attack surface beyond just administrative accounts.
The operational impact of this vulnerability extends beyond simple data theft, as it can enable attackers to escalate privileges, modify user accounts, extract sensitive information such as user credentials, and potentially compromise the entire WordPress installation. The time-based sql injection technique allows for reliable data extraction through boolean or time-based blind sql injection methods, where attackers can infer database contents by observing response delays. This vulnerability directly maps to several tactics in the mitre att&ck framework under the execution and credential access domains, specifically targeting the use of sql injection for privilege escalation and data exfiltration. The lack of proper parameter preparation and input validation creates a persistent threat vector that remains active as long as the vulnerable plugin version is installed.
Mitigation strategies should prioritize immediate patching to version 5.2.4 or later, where the sql injection vulnerability has been addressed through proper input sanitization and parameter preparation. Administrators should implement the principle of least privilege by restricting plugin access to only those users who require it for legitimate automation purposes. Additional defensive measures include monitoring for unusual sql query patterns, implementing web application firewalls with sql injection detection capabilities, and conducting regular security audits of installed plugins. The vulnerability highlights the importance of proper sql query preparation and input validation practices, emphasizing that all user-supplied data must be treated as untrusted and properly escaped before database interaction. Organizations should also consider implementing database activity monitoring to detect and alert on suspicious sql injection attempts, particularly those involving time-based timing attacks that are characteristic of this vulnerability class.