WordPress plugin vulnerability poses severe security risk, allows for site takeovers

In a nutshell: Many WordPress plugins are designed to enhance the content management system’s ability to quickly and easily share content from almost anywhere on the internet. But one popular particular plugin is seemingly making life easier for cyber-criminals, too.

The WP Automatic plugin has been compromised by a severe security vulnerability that hackers have been exploiting since last month. This plugin has over 38,000 paid customers, enabling WordPress sites to effortlessly add new posts from various sources, such as RSS feeds, YouTube, Twitter, or by generating content through ChatGPT.

Tracked as CVE-2024-27956, the flaw was disclosed by security company Patchstack in March and received a severity rating of 9.9 (out of 10). It is described as a highly dangerous SQL injection vulnerability, with analysts anticipating widespread exploitation after hackers became aware of it. According to Patchstack, malicious actors can “directly interact” with a WordPress site’s SQL database, potentially manipulating personal information, user accounts, and more.

ValvePress, the publisher of WP Automatic, addressed the SQL injection flaw in the latest plugin version (3.92.1) without acknowledging the fixed issue in the release notes. Nonetheless, hackers were quick to discover CVE-2024-27956; a recent bulletin by security company WPScan said that the bug had been targeted by more than 5.5 million attack attempts since March 13, 2024.

WPScan describes the typical exploitation process for CVE-2024-27956, which starts with the execution of an unauthorized database query and ends with total ownership of the compromised website. Once in, hackers can create new admin user accounts, upload new malware and plugins, and more. Criminals may also rename the vulnerable WAP PHP script, ensuring that no other “cyber-gang” can exploit the flaw.

Once a WordPress site is compromised, an attacker can create backdoors and obfuscate their malicious code. In most of the compromised sites discovered by WPScan, cyber-criminals installed their own plugins to upload files and easily edit code. CVE-2024-27956 represents an extremely serious security risk, and all WP Automatic customers are urged to update to the latest version of the plugin immediately, although some researchers question whether it qualifies as a “true” SQL injection issue.

An unnamed developer has noted that the WP Automatic plugin is designed to process SQL queries from authorized users only. CVE-2024-27956 allows hackers to circumvent these authorization controls, while an SQL injection occurs when an attacker embeds SQL code in what is “supposed to be only data,” which, according to the developer, is not the case with WAP.