Hackers Exploit Severe WordPress Plugin Vulnerability

WordPress Automatic Plugin

Hackers are currently targeting websites that use a popular WordPress plugin, making millions of attempts to exploit a high-severity vulnerability that allows for complete takeover. The vulnerability is found in WordPress Automatic, a plugin used by over 38,000 paying customers. This plugin is used by websites running the WordPress content management system to incorporate content from other sites.

Last month, researchers from security firm Patchstack disclosed that WP Automatic versions 3.92.0 and below had a vulnerability with a severity rating of 9.9 out of a possible 10. The plugin developer, ValvePress, quietly published a patch, which is available in versions 3.92.1 and beyond.

The flaw, tracked as CVE-2024-27956, is classified as a SQL injection. This type of vulnerability arises from a web application’s failure to properly query backend databases. By entering strings with specially positioned apostrophes into vulnerable website fields, attackers can execute code that performs various sensitive actions, including returning confidential data, granting administrative system privileges, or subverting how the web app works.

According to Patchstack researchers, “This vulnerability is highly dangerous and expected to become mass exploited.”

Web security firm WPScan reported that it has logged more than 5.5 million attempts to exploit the vulnerability since the March 13 disclosure by Patchstack. The attempts began slowly and peaked on March 31. However, the firm did not disclose how many of these attempts were successful.

WPScan explained that CVE-2024-27596 allows unauthenticated website visitors to create admin-level user accounts, upload malicious files, and take full control of affected sites. The vulnerability, which resides in how the plugin handles user authentication, allows attackers to bypass the normal authentication process and inject SQL code that grants them elevated system privileges. From there, they can upload and execute malicious payloads that rename sensitive files to prevent the site owner or fellow hackers from controlling the hijacked site.

Successful attacks typically follow this process:

  • SQL Injection (SQLi): Attackers leverage the SQLi vulnerability in the WP‑Automatic plugin to execute unauthorized database queries.
  • Admin User Creation: With the ability to execute arbitrary SQL queries, attackers can create new admin‑level user accounts within WordPress.
  • Malware Upload: Once an admin‑level account is created, attackers can upload malicious files, typically web shells or backdoors, to the compromised website’s server.
  • File Renaming: Attackers may rename the vulnerable WP‑Automatic file, to ensure only they can exploit it.

Once a WordPress site is compromised, attackers ensure the longevity of their access by creating backdoors and obfuscating the code. To evade detection and maintain access, attackers may also rename the vulnerable WP‑Automatic file, making it difficult for website owners or security tools to identify or block the issue.

The attacks began shortly after March 13, 15 days after ValvePress released version 3.92.1 without mentioning the critical patch in the release notes. ValvePress representatives didn’t immediately respond to a message seeking an explanation.

While researchers at Patchstack and WPScan are classifying CVE-2024-27956 as SQL injection, an experienced developer said his reading of the vulnerability is that it’s either improper authorization (CWE-285) or a subcategory of improper access control (CWE-284).

Regardless of the classification, the vulnerability is about as severe as it gets. Users should patch the plugin immediately. They should also carefully analyze their servers for signs of exploitation using the indicators of compromise data provided in the WPScan post linked above.

You may also like:

Related Posts

Leave a Reply