WP Automatic WordPress Plugin Under Siege from Millions of SQL Injection Attacks

The WP Automatic plugin for WordPress is facing a barrage of attacks from hackers exploiting a critical vulnerability. This flaw allows attackers to create user accounts with administrative privileges and implant backdoors for persistent access.

WP Automatic, utilized by over 30,000 websites, enables administrators to automate the import of content like text, images, and videos from various online sources and publish it on their WordPress site.

The vulnerability, known as CVE-2024-27956, has been rated with a severity score of 9.9/10. It was publicly disclosed by researchers, a vulnerability mitigation service, on March 13. The issue, impacting WP Automatic versions before 3.9.2.0, is an SQL injection flaw within the plugin’s user authentication mechanism.

Exploiting this flaw allows hackers to submit SQL queries to the website’s database, creating administrator accounts.

Since the disclosure, Automattic’s WPScan has detected over 5.5 million attacks attempting to leverage this vulnerability, with the majority occurring on March 31st.

According to WPScan, attackers, upon gaining admin access, create backdoors and obfuscate the code to make detection challenging. They often rename the vulnerable file “csv.php” to evade detection and maintain access.

Once control is established, threat actors frequently install additional plugins that facilitate file uploads and code editing.

WPScan provides indicators of compromise, such as the presence of an admin account starting with “xtw” and files named web.php and index.php, which are indicative of the recent attack campaign.

To mitigate the risk, researchers advise WordPress site administrators to update the WP Automatic plugin to version 3.92.1 or later. They also recommend creating regular backups to restore clean copies quickly in case of a compromise.

To protect WordPress websites from such attacks, administrators should update the WP Automatic plugin to the latest version immediately. They should also regularly update all plugins, themes, and the WordPress core to patch known vulnerabilities. Implementing strong passwords and using security plugins can also help enhance the website’s security posture.