• 🔥 Hackers are actively exploiting a critical vulnerability in the WordPress Automatic plugin that allows complete website takeover.
• 🔒 The vulnerability (CVE-2024-27956) has a severity rating of 9.9 out of 10 and impacts versions 3.92.0 and below of the plugin.
• 🐞 The plugin developer silently patched the flaw in version 3.92.1, but did not mention the critical fix in the release notes.
• 💻 Successful attacks involve SQL injection to create admin accounts, upload malware, and rename files to maintain access.
• ⚠️ Over 5.5 million exploitation attempts have been recorded since the vulnerability was disclosed on March 13, 2024.
• 🚨 Website owners using the WP Automatic plugin should immediately update to the latest patched version and scan their servers for signs of compromise.

The WordPress ecosystem has once again found itself under siege, this time facing a severe vulnerability that has caught the attention of malicious actors worldwide. The WordPress Automatic plugin, a popular tool used by over 38,000 websites, has been the target of a critical flaw that allows hackers to gain complete control over affected websites.

The Vulnerability: A Breakdown

Identified as CVE-2024-27956, this vulnerability has been assigned a severity rating of 9.9 out of 10, indicating an extremely high risk. It affects all versions of the WordPress Automatic plugin up to and including 3.92.0. The flaw resides in the plugin’s authentication mechanism, enabling attackers to bypass the normal authentication process and execute unauthorized database queries.

Attack Vectors: SQL Injection and Beyond

Leveraging this vulnerability, hackers can employ SQL injection techniques to create admin-level user accounts within the compromised WordPress installation. Once an admin account is established, the attackers can upload and execute malicious payloads, such as web shells or backdoors, granting them persistent access to the website’s server.

Moreover, attackers have been observed employing a clever tactic to maintain their foothold on compromised websites. By renaming the vulnerable WordPress Automatic plugin file, they can prevent website owners or security tools from identifying and blocking the issue, ensuring their continued access to the compromised site.

A Silent Patch and Missed Opportunity

While the plugin developer, ValvePress, released a patched version (3.92.1) addressing the vulnerability, the release notes failed to mention the critical fix. This oversight potentially left website owners unaware of the urgency to update, providing a window of opportunity for hackers to exploit the vulnerability.

Exploitation Attempts: A Surge of Malicious Activity

The severity of the situation is further highlighted by the staggering number of exploitation attempts recorded since the vulnerability’s disclosure on March 13, 2024. Researchers from WPScan have logged over 5.5 million attempts to exploit the vulnerability, with the activity peaking on March 31.

Protecting Your Website: A Call to Action

If your website is running the WordPress Automatic plugin, immediate action is crucial. Website owners are strongly advised to update to the latest patched version (3.92.1 or newer) and conduct a comprehensive scan of their servers for signs of compromise.

Security experts recommend utilizing reliable indicators of compromise (IOCs) provided by trusted sources, such as WPScan, to identify potential malware uploads, unauthorized admin accounts, or any other suspicious activity on the server.

Conclusion

The vulnerability in the WordPress Automatic plugin serves as a stark reminder of the ever-evolving landscape of cyber threats. Website owners and WordPress administrators must remain vigilant, promptly addressing security updates and implementing best practices to safeguard their online presence. By taking proactive measures and staying informed, the WordPress community can collectively mitigate the impact of such vulnerabilities and enhance the overall security of the platform.