Cyber criminals are currently targeting a serious security vulnerability in the WP-Automatic plugin for WordPress in order to gain unauthorized access and potentially take control of websites.
The vulnerability, labeled as CVE-2024-27956, has been assigned a CVSS score of 9.9 out of 10. It affects all versions of the plugin released before 3.9.2.0.
According to WPScan, a SQL injection (SQLi) vulnerability is a serious risk because it allows attackers to access websites without permission, create high-level user accounts, upload harmful files, and potentially have complete control over the sites.
As stated by the company owned by Automattic, the problem originates from the plugin's method of verifying users, which can easily be bypassed to run specific SQL queries on the database through carefully crafted requests.
Based on the current attacks being monitored, a vulnerability known as CVE-2024-27956 is being exploited to run unauthorized queries on databases and establish new administrator accounts on WordPress websites that are vulnerable (such as those beginning with "xtw"). These compromised accounts could then be used for further malicious activities after the initial exploitation.
This involves adding plugins that allow for file uploads or code editing, showing efforts to use the infected sites as staging areas.
According to WPScan, when a WordPress site is hacked, attackers make sure to maintain their access by setting up hidden access points and hiding the code. They may also change the name of the vulnerable WP-Automatic file to avoid detection and continue to control the site without being detected by website owners or security tools.
The specific file being referenced is located at "/wp‑content/plugins/wp‑automatic/inc/csv.php," but it has been changed to a new name such as "wp‑content/plugins/wp‑automatic/inc/csv65f82ab408b3.php."
However, it is possible that the individuals behind the threat are trying to prevent other attackers from taking advantage of the websites they have already compromised.
Patchstack, a security company for WordPress, made CVE-2024-27956 known to the public on March 13, 2024. Since then, over 5.5 million attempts to exploit this vulnerability have been identified in the real world.