WP-Automatic Plugin Vulnerability Exploited by Hackers to Establish Admin Accounts on WordPress Sites
WP-Automatic Plugin Vulnerability Exploited by Hackers to Establish Admin Accounts on WordPress Sites
Active attempts are being made by threat actors to exploit a critical security vulnerability in the ValvePress Automatic plugin for WordPress, which has the potential to enable site takeovers.
The vulnerability, designated as CVE-2024-27956, has been assigned a CVSS score of 9.9 out of a possible 10. It affects all plugin versions preceding 3.92.0. Although version 3.92.1, which was released on February 27, 2024, does not mention it in the release notes, it resolves the issue.
“This risk, a SQL injection (SQLi) flaw, presents a serious risk as attackers are able to exploit it to obtain illegal access to websites, create admin‑level user accounts, upload malicious files, and possibly assume full control of affected sites,” WPScan stated in a security alert this week.
As stated by the organization owned by Automattic, the problem originates from the user authentication mechanism of the plugin. This mechanism is easily exploitable to initiate arbitrary SQL queries against the database through the use of specially crafted requests.
CVE-2024-27956 is currently being exploited in the identified attacks to execute unauthorized database queries and generate new administrator accounts on vulnerable WordPress sites (e.g., with usernames beginning with “xtw”). These newly created accounts may subsequently be utilized for post-exploitation activities.
This encompasses the installation of extensions that enable code editing and file uploading, suggesting efforts to repurpose the compromised websites as stagers.
“Once a WordPress site has been compromised, cybercriminals assure the continued existence of their access through the development of backdoors and hiding the code,” according to WPScan. “To escape detection and keep access, cybercriminals may also rename the vulnerable WP‑Automatic file, rendering it hard for website owners or security tools to recognize or block the issue.”
The renamed file is “/wp‐content‐plugins/wp‐automatic/inc/csv65f82ab408b3.php.” The original filename is “/wp‐content‐plugins/wp‐automatic/inc/csv.php.”
However, this may be an attempt by the threat actors to prevent other assailants from exploiting the sites that are already under their control.
The vulnerability CVE-2024-27956 was made public on March 13, 2024, by the WordPress security firm Patchstack. Subsequent to that, over 5.5 million unauthorized attempts to exploit the vulnerability have been identified in the field.
The revelation coincides with the discovery of critical vulnerabilities in plugins such as User Registration (CVE-2024-2417, CVSS score: 8.8), Email Subscribers by Icegram Express (CVE-2024-2876, CVSS score: 9.8), and Forminator (CVE-2024-28890, CVSS score: 9.8), which could be exploited to upload arbitrary files, retrieve sensitive data (password hashes) from the database, or grant an authenticator user administrative privileges.
Patchstack has also issued a warning regarding an unpatched vulnerability in the Poll Maker plugin (CVE-2024-32514, CVSS score: 9.9) that enables remote code execution by authenticated attackers with subscriber-level access or higher who upload arbitrary files to the server of the compromised website.
About The Author:
Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blog, he’s also written for brands including CollegeDunia, Utsav Fashion, and NASSCOM. Naager entered the field of content in an unusual way. He began his career as an insurance sales executive, where he developed an interest in simplifying difficult concepts. He also combines this interest with a love of narrative, which makes him a good writer in the cybersecurity field. In the bottom line, he frequently writes for Craw Security.
READ MORE ARTICLE HERE