WordPress website owners are facing a serious security threat due to a critical vulnerability (CVE-2024-27956) discovered in the widely used WP Automatic plugin. Malicious actors are actively exploiting this flaw to gain complete control of vulnerable websites. This article provides a comprehensive explanation of the vulnerability, its impact, and the crucial steps website administrators must take to protect their sites.

Understanding the Vulnerability

The vulnerability resides within the WP Automatic plugin’s user authentication process. This flaw, classified as an SQL Injection (SQLi) vulnerability, allows attackers to inject malicious SQL code into the website’s database. Once injected, this code can wreak havoc, granting attackers the ability to:

• Create Administrator Accounts: Hackers can bypass standard user creation procedures and establish new administrator accounts with full privileges. These privileged accounts grant them unrestricted access to modify, delete, or steal website content.
• Upload Web Shells and Backdoors: Malicious actors can upload web shells and backdoors onto the compromised website. These files function as backdoors, providing attackers with persistent, remote access to the website’s core functionalities. This enables them to maintain control even after website administrators take initial steps to address the breach.
• Complete Website Takeover: The combined effect of creating administrator accounts and uploading backdoors empowers attackers to seize complete control of the compromised website. They can then manipulate website content, steal sensitive data, or redirect visitors to malicious websites for phishing attacks or malware distribution.

The urgency to address this vulnerability is underscored by the fact that it is being actively exploited in the wild. PatchStack publicly disclosed the vulnerability (CVE-2024-27956) on March 13, 2024. Since then, there has been a steady rise in exploit attempts, culminating in over 5.5 million detections by WPScan on March 31st. This alarming trend highlights the critical need for website administrators to take immediate action.

Identifying Signs of Compromise

If you suspect your website may be compromised due to this vulnerability, there are specific indicators to look out for:

• Suspicious Administrator Account: An administrator user with a username beginning with “xtw” that you don’t recognize is a red flag. This username pattern is commonly associated with this particular exploit.
• Renamed Plugin File: Hackers might attempt to mask their activity by renaming the vulnerable plugin file. Look for a modified filename within the “/wp-content/plugins/wp-automatic/inc/” directory. The original file name is “csv.php,” but it could be renamed to something like “csv65f82ab408b3.php”
• Malicious Files: The presence of certain files within your website’s file system can be a sign of compromise. These files typically have the following characteristics:
  • web.php (SHA1 hash: b0ca85463fe805ffdf809206771719dc571eb052)
  • index.php (SHA1 hash: 8e83c42ffd3c5a88b2b2853ff931164ebce1c0f3)

Taking Action to Secure Your Website

Here are the essential steps you must take to safeguard your WordPress website from this critical vulnerability:

1. Immediate Update: The most crucial step is to update the WP Automatic plugin to version 3.9.2.1 (or later) as soon as possible. This patched version addresses the security vulnerability and significantly reduces your website’s exposure.
2. Thorough User Audit: Conduct a meticulous review of all your WordPress user accounts. Eliminate any unauthorized or suspicious administrator accounts you discover. This helps prevent attackers from leveraging compromised accounts to maintain control of your website.
3. Robust Security Monitoring: Implement a reputable security monitoring tool like Jetpack Scan. Security monitoring tools continuously scan your website for suspicious activity and potential breaches. Early detection is paramount in mitigating the damage caused by a website compromise.
4. Regular Backups: Maintain consistent backups of your entire website data, including databases, themes, plugins, and content. Having recent backups allows for a swift restoration process if your website is compromised. This minimizes downtime and data loss.

The WP Automatic plugin vulnerability (CVE-2024-27956) poses a significant threat to WordPress website security. By following the recommended actions outlined above, website administrators can effectively patch the vulnerability, fortify their website.