Saturday, May 25, 2024

WordPress Plugin Flaw Exposes 40,000+ Websites to Cyber Attack

A popular WordPress plugin, Automatic (premium version), developed by ValvePress, has been found to harbor critical security vulnerabilities that put over 40,000 websites at risk.

This plugin, known for its capability to create posts from various sources, including YouTube, Twitter, and virtually any website through scraping modules, has been identified as a gateway for potential cyber-attacks due to these flaws.

Unauthenticated Arbitrary SQL Execution – CVE-2024-27956

The first of the two vulnerabilities, CVE-2024-27956, allows unauthenticated users to execute arbitrary SQL queries on the affected WordPress sites.

This flaw was found in the inc/csv.php file, where an arbitrary SQL query could be supplied to the $q variable and executed.

Document

Free Webinar : Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.:

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

AcuRisQ, that helps you to quantify risk accurately:

Despite checks involving user password trimming and MD5 hashing, attackers could bypass these by simply supplying a whitespace character, enabling full-scale SQL query execution.

Unauthenticated Arbitrary File Download and SSRF – CVE-2024-27954

The second vulnerability, CVE-2024-27954, pertains to arbitrary file downloads and Server-Side Request Forgery (SSRF) attacks.

This flaw in the downloader.php file allows attackers to fetch arbitrary URLs or local files using the $_GET[‘link’] parameter.

Initially, this could be exploited without any authentication, posing a significant risk to the integrity and confidentiality of the WordPress site data.

PatchStack has recently published a technical article highlighting the critical vulnerabilities fixed in the latest version of WordPress Automatic Plugin through security patches.

The Patch

In response to these vulnerabilities, ValvePress has issued updates to mitigate the risks. For CVE-2024-27956, the inc/csv.php file was removed entirely.

To address CVE-2024-27954, a nonce check was introduced, requiring a value only obtainable by privileged users, alongside a validation check on the $link variable.

These measures aim to secure the plugin against unauthorized SQL executions and file downloads.

FofaBot recently tweeted about a critical update to the WordPress Automatic plugin.

The discovery of these vulnerabilities underscores the critical need for rigorous security measures in plugin development, especially those that involve SQL query execution and URL fetching capabilities.

Developers are advised to avoid providing full-scale SQL query features, even to high-privilege users, and to implement permission and nonce checks for URL fetching actions.

For enhanced security, it is recommended that users fetch URLs using WordPress’s wp_safe_remote_* functions.

This incident serves as a reminder of the ever-present risks in the digital landscape and the importance of maintaining up-to-date security practices to protect against potential cyber threats.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Website

Latest articles

Hackers Weaponizing Microsoft Access Documents To Execute Malicious Program

In multiple aggressive phishing attempts, the financially motivated organization UAC-0006 heavily targeted Ukraine, utilizing...

Microsoft Warns Of Storm-0539’s Aggressive Gift Card Theft

Gift cards are attractive to hackers since they provide quick monetization for stolen data...

Kinsing Malware Attacking Apache Tomcat Server With Vulnerabilities

The scalability and flexibility of cloud platforms recently boosted the emerging trend of cryptomining...

NSA Releases Guidance On Zero Trust Maturity To Secure Application From Attackers

Zero Trust Maturity measures the extent to which an organization has adopted and implemented...

Chinese Hackers Stay Hidden On Military And Government Networks For Six Years

Hackers target military and government networks for varied reasons, primarily related to spying, which...

DNSBomb : A New DoS Attack That Exploits DNS Queries

A new practical and powerful Denial of service attack has been discovered that exploits...

Malicious PyPI & NPM Packages Attacking MacOS Users

Cybersecurity researchers have identified a series of malicious software packages targeting MacOS users.These...
Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles