Critical WP-Automatic Plugin Flaw Leaves WordPress Sites Open for Takeover – Update Now!

Got a WordPress site? Beware of the WP-Automatic plugin flaw—CVE-2024-27956—that’s a 9.9 CVSS-scored party favor for hackers, letting them RSVP without an invite to your website’s admin bash. Update or face the music!

Hot Take:

Well, isn’t this a cybercriminal’s dream? A plugin vulnerability that’s the digital equivalent of leaving your front door wide open with a neon ‘Welcome’ sign for hackers. It’s like throwing a barbecue and accidentally inviting every villain in a 10-mile radius. WP-Automatic users, it’s time to update or get ready to play an unwanted game of ‘capture the flag’ with your website.

Key Points:

  • WP-Automatic plugin for WordPress is waving a red flag with a critical security flaw, CVE-2024-27956.
  • One SQL injection later, and attackers can play house with your website, creating admin accounts and uploading their no-good files.
  • These sneaky cyber-sorcerers are even renaming files to throw off the scent like incognito internet ninjas.
  • Over 5.5 million attack attempts have been sighted in the wild, turning the internet into a digital safari of dangers.
  • If that wasn’t enough, other plugins are also throwing a party for hackers with bugs that could make a Swiss cheese look solid.
Title: WordPress WP Poll Maker plugin <= 3.4 - Authenticated Arbitrary File Upload vulnerability
Cve id: CVE-2024-32514
Cve state: PUBLISHED
Cve assigner short name: Patchstack
Cve date updated: 04/17/2024
Cve description: Unrestricted Upload of File with Dangerous Type vulnerability in Poll Maker & Voting Plugin Team (InfoTheme) WP Poll Maker.This issue affects WP Poll Maker: from n/a through 3.4.

Cve id: CVE-2024-2417
Cve state: PUBLISHED
Cve assigner short name: Wordfence
Cve date updated: 05/02/2024
Cve description: The User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the form_save_action() function in all versions up to, and including, 3.1.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to update the registration form and make the default registration role administrator. This subsequently allows the attacker to register an account as an administrator on the site.

Cve id: CVE-2024-28890
Cve state: PUBLISHED
Cve assigner short name: jpcert
Cve date updated: 04/23/2024
Cve description: Forminator prior to 1.29.0 contains an unrestricted upload of file with dangerous type vulnerability. If this vulnerability is exploited, a remote attacker may obtain sensitive information by accessing files on the server, alter the site that uses the plugin, and cause a denial-of-service (DoS) condition.

Title: WordPress Automatic plugin <= 3.92.0 - Unauthenticated Arbitrary SQL Execution vulnerability
Cve id: CVE-2024-27956
Cve state: PUBLISHED
Cve assigner short name: Patchstack
Cve date updated: 03/21/2024
Cve description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ValvePress Automatic allows SQL Injection.This issue affects Automatic: from n/a through 3.92.0.

Cve id: CVE-2024-2876
Cve state: PUBLISHED
Cve assigner short name: Wordfence
Cve date updated: 05/02/2024
Cve description: The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'run' function of the 'IG_ES_Subscribers_Query' class in all versions up to, and including, 5.7.14 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Need to know more?

When "Automatic" Means "Auto-magic" for Hackers

Imagine a plugin so generous, it gives attackers the keys to your WordPress kingdom. CVE-2024-27956 is that overly hospitable host, providing a SQL injection (SQLi) flaw so attackers can make themselves at home. And by home, I mean your website, where they're not exactly baking cookies but rather baking up some digital chaos. The plugin's user authentication mechanism is the weak link here, treating SQL queries like an open bar at a hacker's wedding.

Attackers Go Incognito

These crafty digital invaders have a stealth mode that would make a chameleon jealous. They're not just exploiting sites; they're redecorating too, by renaming the vulnerable WP-Automatic file to something less conspicuous. It's like a burglar breaking in and then changing your locks to keep other burglars out. Talk about territorial!

A Wild Safari of Cyber Attacks

Since the vulnerability went public, there's been a stampede of over 5.5 million attack attempts. That's a whole lot of cyber predators looking for prey. With this many attempts, it's less of a targeted attack and more of an all-you-can-eat buffet for malicious actors.

It's a Plugin Pandemic

But wait, there's more! WP-Automatic isn't alone in its vulnerability voyage. Other plugins like Email Subscribers, Forminator, and User Registration are throwing their own flaws into the mix. It's like a potluck where every dish is spiked with a little bit of danger. And for dessert, the Poll Maker plugin serves up a remote code execution risk that's the cherry on top of this risky business sundae.

Update or Upset

If you're running a WordPress site with any of these plugins, it's time to hit that update button faster than a cat in a cucumber patch. Failure to do so could mean you're RSVPing 'yes' to a hacking event you never wanted to attend. So, let's patch up these plugins and keep the digital party crashers at bay!

Tags: Arbitrary File Upload, CVE-2024-27956, Plugin Security Flaws, SQL Injection, Vulnerability Exploitation, WordPress Security, WP-Automatic Plugin