Hackers Exploiting WP-Automatic Plugin Bug to Create Admin Accounts on WordPress Sites
Apr 26, 2024
Threat Intelligence / Cyber Attack
Threat actors are attempting to actively exploit a critical security flaw in the ValvePress Automatic plugin for WordPress that could allow site takeovers. The shortcoming, tracked as CVE-2024-27956 , carries a CVSS score of 9.9 out of a maximum of 10. It impacts all versions of the plugin prior to 3.92.0. The issue has been resolved in version 3.92.1 released on February 27, 2024, although the release notes make no mention of it. "This vulnerability, a SQL injection (SQLi) flaw, poses a severe threat as attackers can exploit it to gain unauthorized access to websites, create admin‑level user accounts, upload malicious files, and potentially take full control of affected sites," WPScan said in an alert this week. According to the Automattic-owned company, the issue is rooted in the plugin's user authentication mechanism, which can be trivially circumvented to execute arbitrary SQL queries against the database by means of specially crafted requests. In the attack