Hackers have honed in on a critical WP-Automatic plugin vulnerability, aiming to infiltrate WordPress websites by creating unauthorized admin accounts, according to recent reports. The flaw, identified in versions preceding 3.9.2.0 of the WP Automatic plugin, has prompted cybersecurity experts to issue urgent warnings to website owners and administrators.
The vulnerability, flagged under the identifier “CVE-2024-27956,” has been characterized as a high-severity issue with a CVSS score of 9.8. It pertains to a SQL injection flaw within the plugin’s user authentication mechanism, which essentially enables threat actors to circumvent security measures and gain administrative privileges.
Decoding WP-Automatic Plugin Vulnerability
Exploiting this vulnerability grants hackers the ability to implant backdoors within websites, ensuring prolonged unauthorized access.
Reports indicate that hackers have been actively exploiting this vulnerability, capitalizing on the widespread use of the WP Automatic plugin across more than 30,000 websites. The exploit allows them to execute various malicious activities, including the creation of admin accounts, uploading of corrupted files, and executing SQL injection attacks.
Cybersecurity researchers have observed a surge in exploit attempts, with over 5.5 million recorded attacks since the vulnerability was publicly disclosed. The threat landscape escalated rapidly, peaking on March 31st, underscoring the urgency for website owners to take immediate action to secure their online assets.
The Technical Side of the WP-Automatic Plugin Vulnerabilities
The Automatic Plugin, developed by ValvePress, faces an challenge beyond comprehension since the vulnerability effects thousands of users who downloaded the plugin through WordPress and other WP plugin markets.
The vulnerability stemmed from the inc/csv.php file, which allowed unauthenticated users to supply and execute arbitrary SQL queries. Despite initial checks using wp_automatic_trim() function, bypassing them was feasible by providing an empty string as the authentication parameter ($auth) and crafting the MD5 hash of the SQL query to subvert integrity checks.
Furthermore, the vulnerability lied within the downloader.php file, where unauthenticated users could provide arbitrary URLs or even local files via the $_GET[‘link’] parameter for fetching through cURL. This flaw facilitated server-side request forgery (SSRF) attacks.
To mitigate the vulnerabilities, the vendor enacted several measures. For the SQL Execution vulnerability, the entire inc/csv.php file was removed. For the File Download and SSRF vulnerability, a nonce check was implemented, coupled with validation checks on the $link variable.
Mitigation Against the WP-Automatic Plugin Vulnerability
To safeguard against potential compromises, cybersecurity analysts recommend the following measures, including regularly updating the WP-Automatic plugin to its latest version is crucial to patch known vulnerabilities and bolster security measures. Regular audits of WordPress user accounts help identify and remove unauthorized or suspicious admin users, reducing the risk of unauthorized access.
Employing robust security monitoring tools aids in detecting and responding promptly to malicious activities, improving threat detection capabilities. It’s essential to maintain up-to-date backups of website data to enable swift restoration in case of compromise, minimizing downtime and data loss.
Website administrators should watch out for indicators of compromise, including admin accounts with names starting with “xtw,” renamed vulnerable file paths, and dropped SHA1 hashed files in the site’s filesystem.
The exploitation of WP-Automatic plugin vulnerabilities highlights the ongoing cybersecurity threats within WordPress ecosystems. By promptly implementing suggested mitigations and staying alert for potential indicators of compromise, website owners can strengthen their defenses against malicious actors aiming to exploit these vulnerabilities.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
