WordPress Security Alert: CVE-2024-27956 Under Attack

Cybercriminals have begun to exploit a critical vulnerability in the WP Automatic plugin for WordPress, enabling them to create accounts with administrative privileges and install backdoors for long-term access.

Installed on over 30,000 sites, the WP Automatic plugin allows administrators to automate the import of content (texts, images, videos) from various sources for publication on a WordPress site.

The SQL injection vulnerability, CVE-2024-27956 (CVSS score: 9.9), affects versions of WP Automatic up to 3.9.2.0. The flaw was disclosed on March 13 by researchers at PatchStack.

The issue lies in the plugin’s user authentication mechanism, which can be bypassed to send SQL queries to the site’s database. Malefactors utilize specially crafted queries to create administrator accounts on the target site.

Since the disclosure of the vulnerability, Automattic’s WPScan service has recorded over 5.5 million attack attempts, with the majority occurring on March 31.

Once administrative access to the site is obtained, attackers create backdoors and obfuscate the code to complicate detection. To prevent other hackers from accessing the site through the same vulnerability and to evade detection, malefactors also rename the vulnerable file to “csv.php.”

Upon establishing control over the site, cybercriminals often install additional plugins that allow file uploads and code editing.

WPScan provides several indicators of compromise (IoC) that can help administrators determine if their site has been hacked. Signs include the presence of an administrator account starting with “xtw” and files named web.php and index.php, which are backdoors installed during the recent campaign.

To minimize the risk of hacking, researchers recommend that WordPress site administrators update the WP Automatic plugin to version 3.92.1 or later. It is also advisable to regularly create backups of the site, so it can be swiftly restored from a copy in the event of compromise.