A critical vulnerability recently discovered in a popular WordPress plugin, is being actively abused in the wild, researchers have said, with hackers potentially able to use the flaw to fully take over a victim’s website.
WordPress security firm Patchstack first discovered an SQL injection (SQLi) vulnerability in the WP‑Automatic plugin, in mid-March 2024.
WP-Automatic is a WordPress plugin designed to automate the process of importing and publishing content from various sources. It can grab content from RSS feeds, websites, YouTube channels, and more, and then automatically create and publish posts.
Five million attacks
According to a WPScan alert, cybercriminals can use the flaw to “gain unauthorized access to websites, create admin‑level user accounts, upload malicious files, and potentially take full control of affected sites.” So far, the flaw was used to create new administrator accounts, which the hackers would later use for additional attacks (installing malicious add ons, exfiltrating sensitive data, and more).
It was given a rating of 9.9 (critical), and tracked as CVE-2024-27956. All versions up to 3.9.2.0 are said to be vulnerable. So far, more than five million exploitations attempts were recorded.
“Once a WordPress site is compromised, attackers ensure the longevity of their access by creating backdoors and obfuscating the code,” WPScan said. “To evade detection and maintain access, attackers may also rename the vulnerable WP‑Automatic file, making it difficult for website owners or security tools to identify or block the issue.”
The Hacker News, also said that the file renaming part might also be an attempt by hackers to prevent other hackers from taking over.
WordPress is by far the most popular website builder platform around today, powering almost half of the entire Internet. Still, it is considered relatively safe, with themes and plugins being the weakest link. WordPress site users are advised to only install themes and addons they plan on using, and to keep them updated at all times.