WP Automatic plugin for WordPress vulnerable to SQL injection, actively attacked
Take action: If you are using WP Automatic plugin for WordPress, patch it IMMEDIATELY. It's been actively attacked, and it's quite possible you have been hacked. Check for new user accounts in your wordpress or unknown uploads.
Learn More
The WP Automatic plugin for WordPress, an automation tool for importing and publishing content on over 30,000 websites, has a critical vulnerability tracked as CVE-2024-27956 (CVSS score 9.9). The SQL injection flaw allows attackers to bypass user authentication mechanisms and execute arbitrary SQL queries on the affected websites' databases. As a result, attackers have been able to create administrative accounts, gaining significant control over the websites.
The vulnerability is affecting versions of WP Automatic before 3.9.2.0. It was publicly disclosed by PatchStack's vulnerability mitigation service on March 13.
Since the disclosure, WPScan, a service by Automattic, has observed over 5.5 million attempts to exploit this flaw, primarily on March 31st. Attackers have not only created backdoors but have also taken steps to obfuscate the malicious code and rename the vulnerable file to "csv.php" to hinder detection and prevent other attackers from exploiting the same vulnerability.
To maintain their access, attackers have been installing additional plugins that facilitate file uploading and code editing. WPScan has outlined several indicators of compromise for administrators to check, including the presence of an admin account with the username starting "xtw," and specific files like web.php and index.php, which serve as backdoors.
Administrators are urged to update the WP Automatic plugin to version 3.92.1 or later to address this security issue. WPScan also advises website owners to regularly back up their sites, allowing for the restoration of clean versions in the event of a compromise.
