Active Exploitation of Critical Vulnerability in WordPress Automatic Plugin

Published on 06 May 2024

ValvePress has released security updates to address a critical vulnerability (CVE-2024-27956) impacting WordPress Automatic plugin. This vulnerability has a Common Vulnerability Scoring System (CVSSv3) score of 9.9 out of 10 and is reportedly being actively exploited.

Successful exploitation of the SQL injection vulnerability could allow unauthenticated attackers to create administrative user accounts, create backdoors, upload malicious files, and gain control of the vulnerable sites.

The vulnerability affects WordPress Automatic versions 3.92.0 and below.

Users and administrators of the affected product versions are advised to update to the latest versions immediately.

More information is available here:

https://nvd.nist.gov/vuln/detail/CVE-2024-27956

https://arstechnica.com/security/2024/04/hackers-make-millions-of-attempts-to-exploit-wordpress-plugin-vulnerability/?utm_source=tldrinfosec

https://www.bleepingcomputer.com/news/security/wp-automatic-wordpress-plugin-hit-by-millions-of-sql-injection-attacks/amp/