A few weeks ago a critical vulnerability was discovered in the plugin WP‑Automatic. This vulnerability, a SQL injection (SQLi) flaw, poses a severe threat as attackers can exploit it to gain unauthorized access to websites, create admin‑level user accounts, upload malicious files, and potentially take full control of affected sites.

The Vulnerability

• WP‑Automatic Versions: < 3.9.2.0
• CVE-ID: CVE-2024-27956
• WPVDB ID: https://wpscan.com/vulnerability/53a51e79‑a216‑4ca3‑ac2d‑57098fd2ebb5/
• CVSSv3.1: 9.8

The vulnerability lies in the WP‑Automatic plugin’s handling of the user authentication mechanism in one of their files, which can be bypassed by attackers to execute malicious SQL queries. By sending specially‑crafted requests, attackers can inject arbitrary SQL code into the site’s database and get elevated privileges. This vulnerability was publicly disclosed by PatchStack on March 13, 2024, and since then we logged 5,576,488 attack attempts. The attack campaign started slowly and reached its peak on March 31st.

Exploitation Process:

• SQL Injection (SQLi): Attackers leverage the SQLi vulnerability in the WP‑Automatic plugin to execute unauthorized database queries.
• Admin User Creation: With the ability to execute arbitrary SQL queries, attackers can create new admin‑level user accounts within WordPress.
• Malware Upload: Once an admin‑level account is created, attackers can upload malicious files, typically web shells or backdoors, to the compromised website’s server.
• File Renaming: Attacker may rename the vulnerable WP‑Automatic file, to ensure only he can exploit it.

Malware Persistence:

Once a WordPress site is compromised, attackers ensure the longevity of their access by creating backdoors and obfuscating the code. To evade detection and maintain access, attackers may also rename the vulnerable WP‑Automatic file, making it difficult for website owners or security tools to identify or block the issue. It’s worth mentioning that it may also be a way attackers find to avoid other bad actors to successfully exploit their already compromised sites. Also, since the attacker can use their acquired high privileges to install plugins and themes to the site, we noticed that, in most of the compromised sites, the bad actors installed plugins that allowed them to upload files or edit code.

Mitigation Steps:

In response to this threat, website owners are urged to take immediate action to protect their WordPress sites. Key mitigation steps include:

• Plugin Updates: Ensure that the WP‑Automatic plugin is updated to the latest version.
• User Account Review: Regularly review and audit user accounts within WordPress, removing any unauthorized or suspicious admin users.
• Security Monitoring: Employ robust security monitoring tools and services like Jetpack Scan to detect and respond to malicious activity on your website. Also, if you are using Jetpack Scan and you’re looking to bolster your website’s security, consider enabling Enhance Protection. By activating this feature, you empower the Web Application Firewall (WAF) to inspect requests directed at standalone PHP files that might be vulnerable. This means that even if attackers attempt to send requests directly to PHP files, our WAF will be there to inspect and safeguard your website against potential threats.
• Backup and Restore: Maintain up‑to‑date backups of your website data to facilitate swift restoration in the event of a compromise.

For Jetpack WAF users with old versions of the wp-automatic plugin, we created a rule that effectively blocks access to the vulnerable PHP file, ensuring that all malicious requests are rejected. We also added new rules in our malware database to detect and clean the malware used in this campaign. 

Indicators of Compromise

If you find any of the following indicators it means that your site was compromised by this active campaign:

• Administrator user with name starting with xtw.
• The vulnerable file “/wp‑content/plugins/wp‑automatic/inc/csv.php” renamed to something as “/wp‑content/plugins/wp‑automatic/inc/csv65f82ab408b3.php”
• The following SHA1 hashed files dropped in your site’s filesystem:
  • b0ca85463fe805ffdf809206771719dc571eb052  web.php
  • 8e83c42ffd3c5a88b2b2853ff931164ebce1c0f3  index.php