Pierluigi Paganini April 26, 2024

A critical vulnerability in the WordPress Automatic plugin is being exploited to inject backdoors and web shells into websites

WordPress security scanner WPScan warns that threat actors are exploiting a critical SQL injection vulnerability in the plugin WordPress Automatic to inject malware into websites.

The premium plugin “Automatic” developed by ValvePress enables users to automatically post content from any website to WordPress, including RSS feeds. It has over 38,000 paying customers.

The vulnerability, tracked as CVE-2024-27956 (CVSS score of 9.8), resides in WP‑Automatic plugin’s handling of user authentication in one file. An attacker can exploit the issue to inject code into the site’s database and gain admin‑level privileges.

“A few weeks ago a critical vulnerability was discovered in the plugin WP‑Automatic. This vulnerability, a SQL injection (SQLi) flaw, poses a severe threat as attackers can exploit it to gain unauthorized access to websites, create admin‑level user accounts, upload malicious files, and potentially take full control of affected sites.” reads the advisory.

Threat actors can exploit the flaw by sending specially crafted requests, resulting in the injection of arbitrary SQL code into the site’s database.

The vulnerability was originally reported by PatchStack on March 13, 2024, and since then WPScan researchers observed 5,576,488 attack attempts. The researchers noticed that attack campaign started slowly and reached its peak on March 31, 2024.

Once the attackers have created an admin‑level account can upload malicious files such as web shells or backdoors and compromise the underlying server.

Researchers observed attackers renaming the vulnerable WP-Automatic file to prevent other threat actors from exploiting it, ensuring exclusive access for themselves.

“Once a WordPress site is compromised, attackers ensure the longevity of their access by creating backdoors and obfuscating the code. To evade detection and maintain access, attackers may also rename the vulnerable WP‑Automatic file, making it difficult for website owners or security tools to identify or block the issue. It’s worth mentioning that it may also be a way attackers find to avoid other bad actors to successfully exploit their already compromised sites.” reads the advisory published by WPScan. “Also, since the attacker can use their acquired high privileges to install plugins and themes to the site, we noticed that, in most of the compromised sites, the bad actors installed plugins that allowed them to upload files or edit code.”

The vulnerability impacted WP‑Automatic Versions before 3.9.2.0, version 3.92.1 addressed it.

Admins are recommended to update their installs as soon as possible.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, WordPress)