Analysis Summary

A serious security vulnerability in the WordPress plugin WP-Automatic is being actively targeted by threat actors, with the potential to enable site takeovers. The vulnerability, identified as CVE-2024-27956, has a CVSS score of 9.9. It affects all plugin versions older than 3.9.2.0.

This vulnerability is a SQL injection (SQLi) bug that presents a serious risk because it allows attackers to create admin-level user accounts, post malicious files, and potentially take over compromised websites. The problem stems from the user authentication method of the plugin, which is easily gotten over to run arbitrary SQL queries against the database using specially constructed requests.

CVE-2024-27956 is being utilized in attacks that have been seen thus far to execute unauthorized database queries and establish new admin accounts on WordPress sites that are vulnerable (e.g., names that begin with "xtw"). These accounts could subsequently be used for additional post-exploitation activities. Installing plugins that enable file uploading or code editing is one way to do this, suggesting efforts to use the compromised websites as staging areas.

Attackers make sure they have access to a WordPress site for as long as possible by obfuscating the code and building backdoors. Attackers may also rename the susceptible WP‑Automatic file to avoid discovery and preserve access, making it more challenging for website owners or security tools to find or disable the problem. Having said that, it's plausible that the threat actors are acting in this way to try and stop other attackers from taking advantage of the websites that they already possess.

On March 13, 2024, WordPress security firm Patchstack made CVE-2024-27956 publicly known. Since then, over 5.5 million attempts have been found in the wild to weaponize the vulnerability. The revelation coincides with the discovery of serious vulnerabilities in plugins such as Icegram Express's Email Subscribers (CVE-2024-2876, CVSS score: 9.8), Forminator's Email Subscribers (CVE-2024-28890, CVSS score: 9.8), and User Registration's Email Subscribers (CVE-2024-2417, CVSS score: 8.8). These vulnerabilities could be exploited to retrieve password hashes and other sensitive information from the database, upload arbitrary files, and grant administrator rights to an authenticator user.

Patchstack has also alerted users to an unpatched vulnerability in the Poll Maker plugin (CVE-2024-32514, CVSS score: 9.9) that permits authenticated attackers having access levels higher than subscriber level to upload any file to the affected site's server and execute code remotely.

Impact

• Unauthorized Access
• Data Manipulation
• Exposure to Sensitive Data

Indicators of Compromise

CVE

• CVE-2024-27956

Affected Vendors

Remediation

• Refer to the WordPress Plugins Directory for patch, upgrade, or workaround information.
• Enhance the security of your WordPress site by implementing two-factor authentication. 
• Keep your WordPress core and all installed plugins up to date.
• Conduct regular security audits of your WordPress site.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets
• Maintain daily backups of all computer networks and servers.
• Keep all software, operating systems, and applications updated with the latest security patches.
• Continuously monitor network and system logs for unusual or suspicious activities.
• Review and secure website code to prevent open redirect vulnerabilities.
• Educate all site administrators about security best practices and the potential risks associated with phishing emails, fake security advisories, and malicious plugins.