Cybercriminals are currently targeting a severe vulnerability in the WP-Automatic plugin for WordPress, which can lead to the complete takeover of websites. Identified as CVE-2024-27956, this vulnerability has a high severity rating of 9.9 on the CVSS scale and affects all versions of the plugin before 3.9.2.0.

The flaw is a SQL injection vulnerability that presents a significant risk, as it allows attackers to gain unauthorized access to websites, create administrative user accounts, upload harmful files, and potentially assume total control of the affected sites, according to a recent warning from WPScan.

The vulnerability stems from a weakness in the plugin’s user authentication system that easily allows attackers to perform arbitrary SQL queries through specially crafted requests.

Recent attacks exploiting CVE-2024-27956 involve unauthorized database queries and the creation of new admin accounts on vulnerable WordPress sites, typically with usernames beginning with “xtw”. These actions can facilitate further malicious activities such as installing additional plugins to upload files or modify code, effectively repurposing the compromised sites.

WPScan also noted that once a site is compromised, perpetrators seek to ensure persistent access by installing backdoors and obscuring the code. To avoid detection and maintain control, they might also rename the affected WP-Automatic file, complicating efforts by site owners or security tools to detect or block the vulnerability. The file typically targeted is “/wp-content/plugins/wp-automatic/inc/csv.php,” often renamed to obscure formats like “wp-content/plugins/wp-automatic/inc/csv65f82ab408b3.php.”

The exploitation of this vulnerability may also be an effort by threat actors to block other malicious entities from using the compromised sites they control.

The flaw was first made public by WordPress security firm Patchstack on March 13, 2024, and since then, over 5.5 million attempts to exploit this vulnerability have been observed.

The announcement coincides with the discovery of critical vulnerabilities in other WordPress plugins such as Email Subscribers by Icegram Express, Forminator, and User Registration, which pose risks including data theft, file upload, and unauthorized administrative access. Additionally, Patchstack has highlighted an unresolved vulnerability in the Poll Maker plugin that permits authenticated users to upload files and execute code remotely, posing another severe threat to website security.
The exploitation of CVE-2024-27956, a critical security vulnerability in the WP-Automatic plugin for WordPress, represents a severe threat to the integrity and security of countless websites. This vulnerability, a SQL injection flaw, allows attackers to bypass standard authentication mechanisms, facilitating unauthorized access to the site’s database. This can result in the alteration or theft of sensitive data, undermining the trust and reliability of the website.

For website owners and users, the consequences can be catastrophic. Attackers can create administrative accounts, granting themselves full privileges to manage the website. With such access, they can upload malicious files and modify existing content, which can be used to launch further attacks on visitors of the website, such as spreading malware or phishing attempts. Moreover, by gaining control over the website, attackers can manipulate its functionalities and redirect visitors to fraudulent sites, significantly damaging the site’s reputation and its owner’s business operations.

The ability of attackers to rename critical files within the WP-Automatic plugin further complicates the detection of the intrusion. This tactic helps sustain their presence on the infected site, making it difficult for security measures to identify and remove the malicious alterations. Such persistence not only extends the duration of potential harmful activities but also complicates recovery efforts, increasing the cost and time needed to restore the website to normal operations.

The broad impact of this vulnerability underscores the critical need for proactive security measures. Website owners must ensure their plugins are up-to-date and monitor their sites for unusual activities. Businesses such as bakers,  government websites and a atlanta child custody lawyer could be vulnerable to these attacks if they don’t take the needed measures to secure their websites. Additionally, the installation of robust security solutions that can detect and mitigate such threats is crucial. Regular security audits and the implementation of a strong cybersecurity framework can significantly reduce the risk of such vulnerabilities being exploited.

Ultimately, the presence of CVE-2024-27956 in widely used plugins like WP-Automatic highlights the continuous risk and challenges website owners face in protecting their digital assets in an ever-evolving threat landscape. The economic and reputational impact on affected websites can be profound, emphasizing the importance of cybersecurity diligence.