WP Automatic Plugin Targeted by Attackers Exploiting Critical Security Flaw
Recent reports indicate that threat actors are actively trying to exploit a severe vulnerability in the ValvePress Automatic plugin for WordPress, which has the potential to enable site takeovers. The vulnerability, identified as CVE-2024-27956, has a CVSS score of 9.9, underscoring its critical nature. It affects all versions of the plugin prior to 3.92.0 and has been addressed in version 3.92.1, released on February 27, 2024. However, it is noteworthy that the release notes for this update do not acknowledge the fix.
This vulnerability, classified as a SQL injection (SQLi) flaw, poses a grave risk, allowing attackers to gain unauthorized access to WordPress sites, create admin-level user accounts, upload malicious files, and potentially assume complete control over compromised systems. WPScan, a leader in WordPress security, highlighted the danger in an alert issued this week, stating that the issue stemmed from weaknesses in the plugin’s user authentication scheme. Attackers can exploit this to execute arbitrary SQL queries on the database using specially crafted requests.
In the security landscape, the attacks leveraging CVE-2024-27956 have primarily involved unauthorized database queries and the creation of new admin accounts on vulnerable WordPress installations. Reports suggest that site names beginning with "xtw" are particularly at risk, as those accounts are often used for follow-on attacks, enabling malicious actors to install additional plugins for file uploads or code edits. This further suggests a strategy to repurpose infected sites for nefarious activities.
As WPScan pointed out, once attackers compromise a WordPress site, they often seek to ensure prolonged access by implementing backdoors and concealing malicious code. One method involves renaming the vulnerable WP-Automatic files, complicating detection efforts by website owners and security tools. Specifically, the vulnerable file located at "/wp-content/plugins/wp-automatic/inc/csv.php" may be renamed to obscure variations, such as "/wp-content/plugins/wp-automatic/inc/csv65f82ab408b3.php."
This behavior hints at attackers’ potential motivations to secure their foothold on compromised sites and prevent rival threat actors from exploiting the same vulnerabilities. The risk associated with CVE-2024-27956 was publicly disclosed by Patchstack, a WordPress security firm, on March 13, 2024, and since then, there have been upwards of 5.5 million documented attempts to exploit this security hole.
The disclosure of this critical vulnerability comes amidst a trend in the cybersecurity realm where severe vulnerabilities have been identified across various plugins, including Email Subscribers by Icegram Express (CVE-2024-2876), Forminator (CVE-2024-28890), and User Registration (CVE-2024-2417). These vulnerabilities similarly threaten sensitive data exposure and unauthorized administrative access.
Furthermore, Patchstack has raised concerns regarding an unaddressed vulnerability in the Poll Maker plugin (CVE-2024-32514), which allows authenticated attackers to upload arbitrary files, potentially leading to remote code execution capabilities on the server. These developments underline the increasingly precarious nature of WordPress security.
In analyzing the tactics likely employed in these attacks, frameworks like MITRE ATT&CK highlight potential methods such as initial access through exploitation of web application vulnerabilities, persistence via backdoor implementation, and privilege escalation through the creation of new admin accounts. Business owners using WordPress should exercise caution and ensure their plugins are regularly updated to safeguard against these vulnerabilities, thereby enhancing their overall cyber resilience.
As this story unfolds, it is crucial for professionals in the cybersecurity domain to remain vigilant and proactive in adopting and updating security measures, ensuring they are prepared to defend against evolving threats.
