A popular WordPress plugin, Automatic (premium version), developed by ValvePress, has been found to harbor critical security vulnerabilities that put over 40,000 websites at risk.
This plugin, known for its capability to create posts from various sources, including YouTube, Twitter, and virtually any website through scraping modules, has been identified as a gateway for potential cyber-attacks due to these flaws.
Unauthenticated Arbitrary SQL Execution – CVE-2024-27956
The first of the two vulnerabilities, CVE-2024-27956, allows unauthenticated users to execute arbitrary SQL queries on the affected WordPress sites.
This flaw was found in the inc/csv.php file, where an arbitrary SQL query could be supplied to the $q variable and executed.
Free Webinar : Mitigating Vulnerability & 0-day Threats
Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.:
- The problem of vulnerability fatigue today
- Difference between CVSS-specific vulnerability vs risk-based vulnerability
- Evaluating vulnerabilities based on the business impact/risk
- Automation to reduce alert fatigue and enhance security posture significantly
AcuRisQ, that helps you to quantify risk accurately:
Despite checks involving user password trimming and MD5 hashing, attackers could bypass these by simply supplying a whitespace character, enabling full-scale SQL query execution.
Unauthenticated Arbitrary File Download and SSRF – CVE-2024-27954
The second vulnerability, CVE-2024-27954, pertains to arbitrary file downloads and Server-Side Request Forgery (SSRF) attacks.
This flaw in the downloader.php file allows attackers to fetch arbitrary URLs or local files using the $_GET[‘link’] parameter.
Initially, this could be exploited without any authentication, posing a significant risk to the integrity and confidentiality of the WordPress site data.
PatchStack has recently published a technical article highlighting the critical vulnerabilities fixed in the latest version of WordPress Automatic Plugin through security patches.
The Patch
In response to these vulnerabilities, ValvePress has issued updates to mitigate the risks. For CVE-2024-27956, the inc/csv.php file was removed entirely.
To address CVE-2024-27954, a nonce check was introduced, requiring a value only obtainable by privileged users, alongside a validation check on the $link variable.
These measures aim to secure the plugin against unauthorized SQL executions and file downloads.
FofaBot recently tweeted about a critical update to the WordPress Automatic plugin.
The discovery of these vulnerabilities underscores the critical need for rigorous security measures in plugin development, especially those that involve SQL query execution and URL fetching capabilities.
Developers are advised to avoid providing full-scale SQL query features, even to high-privilege users, and to implement permission and nonce checks for URL fetching actions.
For enhanced security, it is recommended that users fetch URLs using WordPress’s wp_safe_remote_* functions.
This incident serves as a reminder of the ever-present risks in the digital landscape and the importance of maintaining up-to-date security practices to protect against potential cyber threats.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.