Critical WordPress Automatic Plugin Vulnerability Exploited to Inject Backdoors

Share This Post

Threat actors are exploiting a critical-severity vulnerability in a plugin named WordPress Automatic to inject malicious code into websites, WordPress security scanner WPScan warns.

The issue, tracked as CVE-2024-27956 (CVSS score of 9.8), is described as an SQL injection (SQLi) flaw in the plugin’s handling of user authentication in one file, allowing attackers to inject code into a site’s database and gain administrator privileges.

Attackers can bypass the authentication mechanism by sending crafted requests to execute database queries and create a new administrator account that enables them to upload malicious files such as backdoors and web shells.

To evade detection, the attackers were seen renaming the vulnerable plugin file, ensuring that they can maintain access to the compromised site, while also preventing other threat actors from exploiting the same vulnerability.

“Since the attacker can use their acquired high privileges to install plugins and themes to the site, we noticed that, in most of the compromised sites, the bad actors installed plugins that allowed them to upload files or edit code,” WPScan notes.

By exploiting this vulnerability, attackers could potentially take over affected websites, the security scanning platform warns.

Impacting Automatic versions up to 3.92.0, CVE-2024-27956 was publicly disclosed by Patchstack on March 13. Since then, WPScan has seen over 5 million attempts to exploit the bug.

The issue was addressed in Automatic version 3.92.1, which also addresses a critical-severity server-side request forgery (SSRF) and arbitrary file download flaw tracked as CVE-2024-27954, and a high-severity cross-site request forgery (CSRF) bug tracked as CVE-2024-27955, data from Defiant shows.

Advertisement. Scroll to continue reading.

Successful exploitation of these vulnerabilities allows attackers to modify information from internal services, access arbitrary files on the server, and escalate privileges.

A premium plugin from ValvePress, Automatic allows users to automatically post from any website to WordPress, including from RSS feeds. The plugin has more than 38,000 paying customers.

WordPress Automatic users are advised to update their installations as soon as possible.

Related: Critical Vulnerability Found in LayerSlider Plugin Installed on a Million WordPress Sites

Related: Discontinued Security Plugins Expose Many WordPress Sites to Takeover

Related: Ultimate Member Plugin Flaw Exposes 100,000 WordPress Sites to Attacks

This post was originally published on this site

More Articles
Article

Navigating SEC Regulations In Cybersecurity And Incident Response

Free video resource for cybersecurity professionals. As 2024 approaches, we all know how vital it is to keep up to date with regulatory changes that affect our work. We get it – it’s a lot to juggle, especially when you’re in the trenches working on an investigation, handling, and responding to incidents.
Article

BFU – Seeing is Believing

Oh no, the device is in BFU. This is the common reaction; a device needs extracting, and you find it in a BFU state. Often, there’s an assumption that a BFU extraction will only acquire basic information, but that isn’t always the case.

Report

Harassment or bullying behavior
Contains mature or sensitive content
Contains misleading or false information
Contains abusive or derogatory content
Contains spam, fake content or potential malware

Block Member?

Please confirm you want to block this member.

You will no longer be able to:

  • See blocked member's posts
  • Mention this member in posts
  • Invite this member to groups
  • Message this member
  • Add this member as a connection

Please note: This action will also remove this member from your connections and send a report to the site admin. Please allow a few minutes for this process to complete.

Report

You have already reported this .