WordPress users using the ValvePress Automatic plugin are exposed to a critical SQL injection vulnerability (CVE-2024-27956) that allows unauthenticated attackers to bypass login and take over sites. Upstream mitigations urge upgrading to WP Automatic version 3.92.1+; a public PoC and widespread exploitation have been observed, with SonicWall releasing an IPS signature to help defenses. #CVE-2024-27956 #WordPress #WPAutomatic #ValvePress #SQLInjection #HackerNews
Keypoints
- The WordPress Automatic plugin by ValvePress contains a critical SQL injection (CVE-2024-27956) with a CVSSv3 score of 9.9 and ~38k active users.
- The vulnerability lets attackers bypass authentication by sending a crafted SQL query to the web server, enabling site takeover.
- Attackers can create admin-level user accounts, upload malicious files, and gain full control over affected sites.
- Attack activity included renaming vulnerable and sensitive files (e.g., inc/csv.php) to hinder site owners and other attackers from regaining control.
- Public exploit code and a PoC exist, with demonstrations and a tracker noting ~5.5 million observed attacks in late March 2024.
- SonicWall has published protections (IPS 19918: WordPress Automatic Plugin SQL Injection) and recommends upgrading to version 3.92.1+ to mitigate the risk.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Bypasses authentication by sending a crafted SQL query to the web server. ‘This vulnerability allows threat actors to circumvent the authentication mechanism by sending a crafted SQL query to the web server.’
- [T1036] Masquerading – Renames vulnerable and sensitive files to avoid detection or control. ‘attackers changed the name of the vulnerable file “inc/csv.php” and renamed sensitive files to prevent the site owner or fellow hackers from controlling the hijacked site.’
- [T1136] Create Account – Creates admin-level user accounts after bypassing authentication to take full control. ‘This further allows nefarious activists to create admin‑level user accounts, upload malicious files and take full control of affected sites.’
- [T1505.003] Web Shell – Establishes backdoors and modifies code to maintain persistence. ‘Once a WordPress site is under their control, attackers ensure the longevity of their access by creating backdoors and modifying the code.’
Indicators of Compromise
- [File] vulnerable/targeted files – inc/csv.php, and /wp-content/plugins/wp-automatic/inc/csv.php
- [URL] exploitation and PoC references – https://github.com/truonghuuphuc/CVE-2024-27956, and https://thehackernews.com/2024/04/hackers-exploiting-wp-automatic-plugin.html
- [CVE] identifiers – CVE-2024-27956
- [IPS Signature] detection name – 19918 – WordPress Automatic Plugin SQL Injection