Threat actors are actively exploiting a critical security flaw in the WP-Automatic plugin for WordPress, posing a significant risk of site takeovers.
The vulnerability, identified as CVE-2024-27956, has a CVSS score of 9.9 out of 10 and affects all versions of the plugin prior to 3.9.2.0.
“This SQL injection (SQLi) flaw presents a serious threat as attackers can exploit it to gain unauthorized access to websites, create admin-level user accounts, upload malicious files, and potentially take full control of affected sites,” warned WPScan in a recent alert.
The issue stems from the plugin’s user authentication mechanism, which can be easily bypassed to execute arbitrary SQL queries against the database through specially crafted requests.
In observed attacks, CVE-2024-27956 has been leveraged to perform unauthorized database queries and establish new admin accounts on vulnerable WordPress sites (e.g., usernames beginning with “xtw”). These accounts could then be exploited for further malicious actions, such as installing plugins to upload files or modify code, indicating attempts to repurpose the compromised sites.
“Once a WordPress site is compromised, attackers ensure the persistence of their access by creating backdoors and obfuscating the code,” WPScan explained. “To evade detection and maintain access, attackers may also rename the vulnerable WP-Automatic file, making it challenging for website owners or security tools to identify or block the issue.”
The targeted file, “/wp-content/plugins/wp-automatic/inc/csv.php,” is often renamed to something like “wp-content/plugins/wp-automatic/inc/csv65f82ab408b3.php.” However, this tactic might also serve to deter other attackers from exploiting sites already under their control.
The vulnerability CVE-2024-27956 was disclosed by WordPress security firm Patchstack on March 13, 2024. Since then, over 5.5 million attack attempts aiming to exploit the flaw have been detected in the wild.
This disclosure coincides with the revelation of severe vulnerabilities in plugins like Email Subscribers by Icegram Express (CVE-2024-2876, CVSS score: 9.8), Forminator (CVE-2024-28890, CVSS score: 9.8), and User Registration (CVE-2024-2417, CVSS score: 8.8), which could facilitate the extraction of sensitive data such as password hashes from the database, unauthorized file uploads, and granting admin privileges to an authenticated user.
Patchstack has also raised awareness of an unpatched issue in the Poll Maker plugin (CVE-2024-32514, CVSS score: 9.9), enabling authenticated attackers with subscriber-level access and above to upload arbitrary files to the affected site’s server, potentially leading to remote code execution.
