WP Automatic WordPress plugin hit by millions of SQL injection attacks

Hackers have started to target a critical severity vulnerability in the WP Automatic plugin for WordPress to create user accounts with administrative privileges and to plant backdoors for long-term access.

Currently installed on more than 30,000 websites, WP Automatic lets administrators automate content importing (e.g. text, images, video) from various online sources and publishing on their WordPress site.

The exploited vulnerability is identified as as CVE-2024-27956 and received a severity score of 9.9/10.

It was disclosed publicly by researchers at PatchStack vulnerability mitigation service on March 13 and described as an SQL injection issue that impacts affecting WP Automatic versions before 3.9.2.0.

The issus is in the plugin’s user authentication mechanism, which can be bypassed to submit SQL queries to the site’s database. Hackers can use specially crafted queries to create administrator accounts on the target website.

Over 5.5 million attack attempts

Since PatchStack disclosed the security issue, Automattic's WPScan observed more than 5.5 million attacks trying to leverage the vulnerability, most of them being recorded on March 31st.

WPScan reports that after obtaining admin access to the target website, attackers create backdoors and obfuscate the code to make it more difficult to find.

“Once a WordPress site is compromised, attackers ensure the longevity of their access by creating backdoors and obfuscating the code,” reads WPScan’s report.

To prevent other hackers from compromising the website by exploiting the same issue and to avoid detection, the hackers also rename the vulnerable file “csv.php.”

Once they get control of the website, the threat actor often installs additional plugins that allow uploading files and code editing.

WPScan provides a set of indicators of compromise that can help admins determine if their website was hacked.

Administrators can check for signs that hackers took over the website by looking for the presense of an admin account starting with "xtw" and files named web.php and index.php, which are the backdoors planted in the recent campaign.

To mitigate the risk of being breached, researchers recommend WordPress site administrators to update the WP Automatic plugin to version 3.92.1 or later.

WPScan also recommends that website owners frequently create backups of their site so they can install clean copies quickly in case of a compromise.