Millions of SQL Injection Attacks Target WP Automatic WordPress Plugin
A critical vulnerability in the WP Automatic plugin for WordPress, which is currently used on over 30,000 websites, has become the focus of millions of SQL injection attacks. These attacks aim to create unauthorized user accounts with administrative privileges and plant backdoors for prolonged access.
The security flaw, cataloged as CVE-2024-27956, carries a high severity score of 9.9 out of 10. It was publicly disclosed by the PatchStack vulnerability mitigation service on March 13. The vulnerability affects versions of WP Automatic before 3.9.2.0 and stems from an SQL injection flaw within the plugin’s user authentication mechanism. This allows attackers to bypass security measures and execute malicious SQL queries directly on the website’s database.
Automattic’s WPScan, which tracks vulnerabilities in WordPress plugins, has recorded over 5.5 million attempts to exploit this vulnerability, with a significant spike observed on March 31. Successful attacks enable perpetrators to gain administrative access, create sophisticated backdoors, and obfuscate malicious code to evade detection.
To maintain exclusive access and avoid potential competition from other hackers, attackers often rename the vulnerable “csv.php” file. The entry of additional malicious plugins is also common, which further facilitates file and code manipulation on the compromised site.
WPScan has released indicators of compromise that administrators can use to check if their sites have been affected. Signs of a breach include newly created admin accounts beginning with “xtw” and the presence of suspicious files named web.php and index.php. These files typically represent the backdoors used in recent attacks.
To safeguard against this threat, administrators must update the WP Automatic plugin to version 3.92.1 or later. Regularly backing up the website is also advised, enabling a swift restoration to a clean state in the event of a compromise.