A severe security flaw in the WP-Automatic plugin for WordPress, known as CVE-2024-27956, has been actively exploited by threat actors, posing a critical risk to WordPress sites. This SQL injection vulnerability allows unauthorized users to manipulate the database, enabling them to create admin-level accounts, upload malicious files, and potentially take full control of affected websites. The vulnerability affects all versions of the plugin prior to 3.9.2.0 and has a high severity rating with a CVSS score of 9.9, indicating its potential for significant impact.
WPScan, a WordPress security monitoring service, has reported that attackers have been exploiting this vulnerability to execute unauthorized database queries and establish new admin accounts. These accounts are often used to install additional plugins that facilitate further malicious activities such as file uploads or code modifications. This effectively turns compromised sites into staging grounds for additional exploitation or malware distribution.
In response to the threat, attackers have also been observed taking steps to maintain their presence on the infected sites discreetly. Techniques include renaming the vulnerable WP-Automatic plugin files to obscure names, which makes it harder for security tools and site administrators to detect and remove the malicious code. This tactic not only secures the attackers’ control over the site but also potentially wards off other malicious actors.
The issue was first disclosed by Patchstack, a WordPress security firm, on March 13, 2024, and since then, there have been over 5.5 million attempts to exploit this flaw. In addition to CVE-2024-27956, Patchstack has highlighted other critical vulnerabilities in popular WordPress plugins that could be exploited in similar ways, demonstrating the ongoing risk and the need for continual vigilance and prompt patching practices among WordPress users and administrators.
