Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?



Critical WordPress Automatic Plugin Vulnerability Exploited to Inject Backdoors

A vulnerability in the WordPress Automatic plugin is being exploited to inject backdoors and web shells into websites.

Threat actors are exploiting a critical-severity vulnerability in a plugin named WordPress Automatic to inject malicious code into websites, WordPress security scanner WPScan warns.

The issue, tracked as CVE-2024-27956 (CVSS score of 9.8), is described as an SQL injection (SQLi) flaw in the plugin’s handling of user authentication in one file, allowing attackers to inject code into a site’s database and gain administrator privileges.

Attackers can bypass the authentication mechanism by sending crafted requests to execute database queries and create a new administrator account that enables them to upload malicious files such as backdoors and web shells.

To evade detection, the attackers were seen renaming the vulnerable plugin file, ensuring that they can maintain access to the compromised site, while also preventing other threat actors from exploiting the same vulnerability.

“Since the attacker can use their acquired high privileges to install plugins and themes to the site, we noticed that, in most of the compromised sites, the bad actors installed plugins that allowed them to upload files or edit code,” WPScan notes.

By exploiting this vulnerability, attackers could potentially take over affected websites, the security scanning platform warns.

Impacting Automatic versions up to 3.92.0, CVE-2024-27956 was publicly disclosed by Patchstack on March 13. Since then, WPScan has seen over 5 million attempts to exploit the bug.

The issue was addressed in Automatic version 3.92.1, which also addresses a critical-severity server-side request forgery (SSRF) and arbitrary file download flaw tracked as CVE-2024-27954, and a high-severity cross-site request forgery (CSRF) bug tracked as CVE-2024-27955, data from Defiant shows.

Advertisement. Scroll to continue reading.

Successful exploitation of these vulnerabilities allows attackers to modify information from internal services, access arbitrary files on the server, and escalate privileges.

A premium plugin from ValvePress, Automatic allows users to automatically post from any website to WordPress, including from RSS feeds. The plugin has more than 38,000 paying customers.

WordPress Automatic users are advised to update their installations as soon as possible.

Related: Critical Vulnerability Found in LayerSlider Plugin Installed on a Million WordPress Sites

Related: Discontinued Security Plugins Expose Many WordPress Sites to Takeover

Related: Ultimate Member Plugin Flaw Exposes 100,000 WordPress Sites to Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights