Hackers started to exploit critical vulnerability in the WP Automatic plugin for WordPress. The bug is used to create new users with administrator rights and introduce backdoors.
Currently, WP Automatic is installed on more than 30,000 sites. The plugin allows administrators to automate the import of content (such as text, images, and videos) from various sources, as well as publishing it on their WordPress site.
Advertisement
The vulnerability being attacked has an identifier CVE-2024-27956 and is rated 9.8 out of 10 on the CVSS scale. The problem was discovered and disclosed by PatchStack researchers in March 2024. Experts described it as a SQL injection problem affecting WP Automatic up to version 3.9.2.0. That is, the vulnerability was fixed in version 3.92.1 or later.
The bug is related to the plugin's authentication mechanism, which can be bypassed in order to send SQL queries to the site's database. As a result, hackers can use specially crafted queries to create new administrator accounts on the target resource.
According to WPScan, since PatchStack reported the problem, more than 5.5 million attack attempts have been made against the vulnerability, most of which occurred on March 31 of this year.
WPScan reports that after gaining administrative access to a site, attackers create backdoors and obfuscate the code to make the hack harder to detect. Additionally, to prevent other hackers from compromising the same site, and to avoid detection, hackers rename the vulnerable csv.php file (/wp‑content/plugins/wp‑automatic/inc/csv.php), making it, for example, in csv65f82ab408b3.php.
Advertisement
Having seized control of someone else's website, attackers usually install additional plugins that allow them to upload files and edit code.
WPScan reminds that administrators can detect signs of compromise by looking for an administrator account starting with “xtw,” as well as files named web.php and index.php, which are backdoors installed during attacks.