Hackers often target WordPress plugins as they have security loopholes that they can exploit to hack into sites without permission.
Once they have found them, threat actors can insert corrupted scripts into these loopholes to compromise the system, obtain secret data, and carry out any other attack that serves their requirements.
Cybersecurity researchers at WPScan recently discovered that hackers have been actively exploiting the WP Automatic updates plugin vulnerability, tracked as “CVE-2024-27956.”
Flaw Profile
- CVE ID: CVE-2024-27956
- WP‑Automatic Vulnerable Versions: < 3.9.2.0
- CVSSv3.1: 9.8
- CVSS severity: High
- Fixed in: 3.92.1
- Classification: SQL Injection
- Patch priority: High
WP Automatic Updates Under Attack
This critical flaw in the WP-Automatic plugin allows threat actors to bypass authentication, create admin accounts, upload malicious files, and potentially compromise affected websites through a SQL injection vulnerability that was discovered a few weeks ago.
The problem is due to incorrect user authentication handling, which permits the injection of harmful SQL queries.
Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide
On 13 March, PatchStack released it publicly and recorded over 5.5 million attempts at attack, which peaked on 31 March after gradually increasing. This security hole is very dangerous as it can result in a complete site takeover.
.webp)
Attackers exploit the SQL Injection (SQLi) vulnerability by injecting malicious SQL queries that create admin accounts, upload web shells and backdoors, and rename the plugin file being exploited for continuous use.
Afterward, they install plugins that allow more code editing and file uploads while hiding their tracks.
Owners, security tools, and other threat actors can be blocked and remain undetected by renaming the plugin file.
Persistence is achieved through full control as threat actors apply backdoors to control them using different malicious plugins or themes.
Mitigations
Here below, we have mentioned all the mitigations recommended by the cybersecurity analysts:-
- Make sure to keep the WP‑Automatic plugin updated to the latest version to patch any known vulnerabilities and ensure security.
- Regularly audit WordPress user accounts to remove unauthorized or suspicious admin users, which helps reduce the risk of unauthorized access.
- Always utilize robust security monitoring tools like Jetpack Scan to detect and respond to malicious activity promptly.
- Maintain up-to-date backups of your website data to enable quick restoration in case of a compromise, ensuring minimal downtime and data loss.
IoCs
- Administrator user with name starting with xtw.
- The vulnerable file “/wp‑content/plugins/wp‑automatic/inc/csv.php” renamed to something as “/wp‑content/plugins/wp‑automatic/inc/csv65f82ab408b3.php”
- The following SHA1 hashed files dropped in your site’s filesystem:
- b0ca85463fe805ffdf809206771719dc571eb052 web.php
- 8e83c42ffd3c5a88b2b2853ff931164ebce1c0f3 index.php
Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training -> Try Free Demo