Hackers Exploiting WP-Automatic Plugin Bug to Create Admin Accounts on WordPress Sites

Summary: Threat actors are actively exploiting a critical security flaw in the WP-Automatic plugin for WordPress, which could lead to site takeovers. The vulnerability allows attackers to execute arbitrary SQL queries and gain unauthorized access to websites.

Threat Actor: Unknown | WP-Automatic plugin
Victim: WordPress sites using the WP-Automatic plugin | WordPress

Key Point :

  • Threat actors are exploiting a critical security flaw in the WP-Automatic plugin for WordPress, allowing them to gain unauthorized access to websites and potentially take full control.
  • The vulnerability, tracked as CVE-2024-27956, is a SQL injection flaw that can be exploited to create admin-level user accounts, upload malicious files, and compromise affected sites.
  • The flaw impacts all versions of the plugin prior to 3.9.2.0.
  • In observed attacks, the vulnerability is being used to execute unauthorized database queries and create new admin accounts on vulnerable WordPress sites.
  • The attackers may rename the vulnerable file to evade detection and maintain access to compromised sites.
  • The vulnerability was publicly disclosed on March 13, 2024, and has since seen over 5.5 million attack attempts in the wild.
  • This disclosure comes as other severe vulnerabilities have been discovered in popular WordPress plugins, such as Email Subscribers by Icegram Express, Forminator, and User Registration.
WP-Automatic Plugin Bug

Threat actors are attempting to actively exploit a critical security flaw in the WP‑Automatic plugin for WordPress that could allow site takeovers.

The shortcoming, tracked as CVE-2024-27956, carries a CVSS score of 9.9 out of a maximum of 10. It impacts all versions of the plugin prior to 3.9.2.0.

“This vulnerability, a SQL injection (SQLi) flaw, poses a severe threat as attackers can exploit it to gain unauthorized access to websites, create admin‑level user accounts, upload malicious files, and potentially take full control of affected sites,” WPScan said in an alert this week.

According to the Automattic-owned company, the issue is rooted in the plugin’s user authentication mechanism, which can be trivially circumvented to execute arbitrary SQL queries against the database by means of specially crafted requests.

Cybersecurity

In the attacks observed so far, CVE-2024-27956 is being used to unauthorized database queries and create new admin accounts on susceptible WordPress sites (e.g., names starting with “xtw”), which could then be leveraged for follow-on post-exploitation actions.

This includes installing plugins that make it possible to upload files or edit code, indicating attempts to repurpose the infected sites as stagers.

“Once a WordPress site is compromised, attackers ensure the longevity of their access by creating backdoors and obfuscating the code,” WPScan said. “To evade detection and maintain access, attackers may also rename the vulnerable WP‑Automatic file, making it difficult for website owners or security tools to identify or block the issue.”

The file in question is “/wp‑content/plugins/wp‑automatic/inc/csv.php,” which is renamed to something like “wp‑content/plugins/wp‑automatic/inc/csv65f82ab408b3.php.”

That said, it’s possible that the threat actors are doing so in an attempt to prevent other attackers from exploiting the sites already under their control.

CVE-2024-27956 was publicly disclosed by WordPress security firm Patchstack on March 13, 2024. Since then, more than 5.5 million attack attempts to weaponize the flaw have been detected in the wild.

Cybersecurity

The disclosure comes as severe bugs have been disclosed in plugins like Email Subscribers by Icegram Express (CVE-2024-2876, CVSS score: 9.8), Forminator (CVE-2024-28890, CVSS score: 9.8), and User Registration (CVE-2024-2417, CVSS score: 8.8) that could be used to extract sensitive data like password hashes from the database, upload arbitrary files, and grant an authenticator user admin privileges.

Patchstack has also warned of an unpatched issue in the Poll Maker plugin (CVE-2024-32514, CVSS score: 9.9) that allows for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site’s server, leading to remote code execution.

Source: https://thehackernews.com/2024/04/hackers-exploiting-wp-automatic-plugin.html


“An interesting youtube video that may be related to the article above”