SQL injection attacks : Hackers are increasingly targeting a critical vulnerability in the WP Automatic plugin for WordPress, which allows attackers to create admin accounts and plant backdoors for prolonged access. Installed on over 30,000 websites, WP Automatic automates content importing, such as text, images, and videos, from online sources and publishes them on WordPress sites.
The vulnerability, tracked as CVE-2024-27956, has a severity score of 9.9/10. It was revealed by PatchStack, a vulnerability mitigation service, on March 13 and is caused by an SQL injection flaw in versions of WP Automatic prior to 3.9.2.0. The vulnerability exists in the plugin’s user authentication system, allowing attackers to bypass authentication and execute malicious SQL queries against the site’s database. These queries can create admin accounts on the target site.
Since the disclosure, WPScan, a service from Automattic, has recorded over 5.5 million attack attempts, with a significant surge in attempts on December 4. After gaining administrative access, hackers typically plant backdoors and obfuscate the code to evade detection. In an effort to prevent further exploitation of the vulnerability, attackers often rename a vulnerable file to “csv.php.”
Once in control of the site, hackers tend to install additional plugins that allow file uploads and code modifications. WPScan has shared a list of indicators to help website administrators identify if their site has been compromised.
