Threat actors are actively attempting to exploit a critical security flaw in the WP‑Automatic plugin for WordPress that could allow site takeovers.
The defect, traced as CVE-2024-27956has a CVSS score of 9.9 out of a possible 10. Affects all plugin versions prior to 3.9.2.0.
“This vulnerability, a SQL injection (SQLi) flaw, poses a serious threat as attackers can exploit it to gain unauthorized access to websites, create administrator-level user accounts, upload malicious files, and potentially take full control of affected sites “, WPScan said in an advisory this week.
According to the Automattic-owned company, the problem is rooted in the plugin’s user authentication mechanism, which can be trivially bypassed to execute arbitrary SQL queries against the database via specially crafted requests.
In attacks observed so far, CVE-2024-27956 is used for unauthorized database queries and to create new administrator accounts on sensitive WordPress sites (e.g., names starting with “xtw”), which could then be exploited for subsequent post attacks -sale. exploitative actions.
This includes installing plug-ins that allow you to upload files or modify code, indicating attempts to reuse infected sites as stagers.
“Once a WordPress site is compromised, attackers ensure the longevity of their access by creating backdoors and obfuscating the code,” WPScan said. “To evade detection and maintain access, attackers can also rename the vulnerable WP-Automatic file, making it difficult for website owners or security tools to identify or block the issue.”
The file in question is “/wp‑content/plugins/wp‑automatic/inc/csv.php,” which has been renamed to something like “wp‑content/plugins/wp‑automatic/inc/csv65f82ab408b3.php.”
That said, it’s possible that threat actors are doing this in an effort to prevent other attackers from exploiting sites already under their control.
CVE-2024-27956 was publicly disclosed by WordPress security company Patchstack on March 13, 2024. Since then, more than 5.5 million attack attempts have been detected to weaponize the flaw.
The disclosure comes as serious bugs have been found in plugins such as Icegram Express Email Subscribers (CVE-2024-2876, CVSS score: 9.8), Forminator (CVE-2024-28890, CVSS score: 9.8), and User Registration (CVE- 2024-2417, CVSS Score: 8.8) which could be used to extract sensitive data such as password hashes from the database, upload arbitrary files, and grant administrator privileges to an authenticator user.
Patchstack also advised of an unpatched issue in the Poll Maker plugin (CVE-2024-32514, CVSS score: 9.9) that allows authenticated attackers, with access at subscriber level and above, to upload arbitrary files to the server of the affected site, leading to remote code execution.