Threat actors are exploiting a critical-severity vulnerability in a plugin named WordPress Automatic to inject malicious code into websites, WordPress security scanner WPScan warns.
The issue, tracked as CVE-2024-27956 (CVSS score of 9.8), is described as an SQL injection (SQLi) flaw in the plugin’s handling of user authentication in one file, allowing attackers to inject code into a site’s database and gain administrator privileges.
Attackers can bypass the authentication mechanism by sending crafted requests to execute database queries and create a new administrator account that enables them to upload malicious files such as backdoors and web shells.
To evade detection, the attackers were seen renaming the vulnerable plugin file, ensuring that they can maintain access to the compromised site, while also preventing other threat actors from exploiting the same vulnerability.
“Since the attacker can use their acquired high privileges to install plugins and themes to the site, we noticed that, in most of the compromised sites, the bad actors installed plugins that allowed them to upload files or edit code,” WPScan notes.
By exploiting this vulnerability, attackers could potentially take over affected websites, the security scanning platform warns.
Impacting Automatic versions up to 3.92.0, CVE-2024-27956 was publicly disclosed by Patchstack on March 13. Since then, WPScan has seen over 5 million attempts to exploit the bug.
The issue was addressed in Automatic version 3.92.1, which also addresses a critical-severity server-side request forgery (SSRF) and arbitrary file download flaw tracked as CVE-2024-27954, and a high-severity cross-site request forgery (CSRF) bug tracked as CVE-2024-27955, data from Defiant shows.
Successful exploitation of these vulnerabilities allows attackers to modify information from internal services, access arbitrary files on the server, and escalate privileges.
A premium plugin from ValvePress, Automatic allows users to automatically post from any website to WordPress, including from RSS feeds. The plugin has more than 38,000 paying customers.
WordPress Automatic users are advised to update their installations as soon as possible.
Related: Critical Vulnerability Found in LayerSlider Plugin Installed on a Million WordPress Sites
Related: Discontinued Security Plugins Expose Many WordPress Sites to Takeover
Related: Ultimate Member Plugin Flaw Exposes 100,000 WordPress Sites to Attacks