Getty Images
Hackers are assailing websites using a prominent WordPress plugin with millions of attempts to exploit a high-severity vulnerability that allows complete takeover, researchers said.
The vulnerability resides in WordPress Automatic, a plugin with more than 38,000 paying customers. Websites running the WordPress content management system use it to incorporate content from other sites. Researchers from security firm Patchstack disclosed last month that WP Automatic versions 3.92.0 and below had a vulnerability with a severity rating of 9.9 out of a possible 10. The plugin developer, ValvePress, silently published a patch, which is available in versions 3.92.1 and beyond.
Researchers have classified the flaw, tracked as CVE-2024-27956, as a SQL injection, a class of vulnerability that stems from a failure by a web application to query backend databases properly. SQL syntax uses apostrophes to indicate the beginning and end of a data string. By entering strings with specially positioned apostrophes into vulnerable website fields, attackers can execute code that performs various sensitive actions, including returning confidential data, giving administrative system privileges, or subverting how the web app works.
“This vulnerability is highly dangerous and expected to become mass exploited,” Patchstack researchers wrote on March 13.
Fellow web security firm WPScan said Thursday that it has logged more than 5.5 million attempts to exploit the vulnerability since the March 13 disclosure by Patchstack. The attempts, WPScan said, started slowly and peaked on March 31. The firm didn’t say how many of those attempts succeeded.
WPScan said that CVE-2024-27596 allows unauthenticated website visitors to create admin‑level user accounts, upload malicious files, and take full control of affected sites. The vulnerability, which resides in how the plugin handles user authentication, allows attackers to bypass the normal authentication process and inject SQL code that grants them elevated system privileges. From there, they can upload and execute malicious payloads that rename sensitive files to prevent the site owner or fellow hackers from controlling the hijacked site.
Successful attacks typically follow this process:
- SQL Injection (SQLi): Attackers leverage the SQLi vulnerability in the WP‑Automatic plugin to execute unauthorized database queries.
- Admin User Creation: With the ability to execute arbitrary SQL queries, attackers can create new admin‑level user accounts within WordPress.
- Malware Upload: Once an admin‑level account is created, attackers can upload malicious files, typically web shells or backdoors, to the compromised website’s server.
- File Renaming: Attacker may rename the vulnerable WP‑Automatic file, to ensure only he can exploit it.
WPScan researchers explained:
Once a WordPress site is compromised, attackers ensure the longevity of their access by creating backdoors and obfuscating the code. To evade detection and maintain access, attackers may also rename the vulnerable WP‑Automatic file, making it difficult for website owners or security tools to identify or block the issue. It’s worth mentioning that it may also be a way attackers find to avoid other bad actors to successfully exploit their already compromised sites. Also, since the attacker can use their acquired high privileges to install plugins and themes to the site, we noticed that, in most of the compromised sites, the bad actors installed plugins that allowed them to upload files or edit code.
The attacks began shortly after March 13, 15 days after ValvePress released version 3.92.1 without mentioning the critical patch in the release notes. ValvePress representatives didn’t immediately respond to a message seeking an explanation.
While researchers at Patchstack and WPScan are classifying CVE-2024-27956 as SQL injection, an experienced developer said his reading of the vulnerability is that it’s either improper authorization (CWE-285) or a subcategory of improper access control (CWE-284).
“According to Patchstack.com, the program is supposed to receive and execute an SQL query, but only from an authorized user,” the developer, who didn’t want to use his name, wrote in an online interview. “The vulnerability is in how it checks the user’s credentials before executing the query, allowing an attacker to bypass the authorization. SQL injection is when the attacker embeds SQL code in what was supposed to be only data, and that’s not the case here.”
Whatever the classification, the vulnerability is about as severe as it gets. Users should patch the plugin immediately. They should also carefully analyze their servers for signs of exploitation using the indicators of compromise data provided in the WPScan post linked above.