Saturday, October 12, 2024
HomeCyber AttackWordPress Plugin Flaw Exposes 40,000+ Websites to Cyber Attack

WordPress Plugin Flaw Exposes 40,000+ Websites to Cyber Attack

Published on

Malware protection

A popular WordPress plugin, Automatic (premium version), developed by ValvePress, has been found to harbor critical security vulnerabilities that put over 40,000 websites at risk.

This plugin, known for its capability to create posts from various sources, including YouTube, Twitter, and virtually any website through scraping modules, has been identified as a gateway for potential cyber-attacks due to these flaws.

Unauthenticated Arbitrary SQL Execution – CVE-2024-27956

The first of the two vulnerabilities, CVE-2024-27956, allows unauthenticated users to execute arbitrary SQL queries on the affected WordPress sites.

- Advertisement - SIEM as a Service

This flaw was found in the inc/csv.php file, where an arbitrary SQL query could be supplied to the $q variable and executed.

Document

Free Webinar : Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.:

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

AcuRisQ, that helps you to quantify risk accurately:

Despite checks involving user password trimming and MD5 hashing, attackers could bypass these by simply supplying a whitespace character, enabling full-scale SQL query execution.

Unauthenticated Arbitrary File Download and SSRF – CVE-2024-27954

The second vulnerability, CVE-2024-27954, pertains to arbitrary file downloads and Server-Side Request Forgery (SSRF) attacks.

This flaw in the downloader.php file allows attackers to fetch arbitrary URLs or local files using the $_GET[‘link’] parameter.

Initially, this could be exploited without any authentication, posing a significant risk to the integrity and confidentiality of the WordPress site data.

PatchStack has recently published a technical article highlighting the critical vulnerabilities fixed in the latest version of WordPress Automatic Plugin through security patches.

The Patch

In response to these vulnerabilities, ValvePress has issued updates to mitigate the risks. For CVE-2024-27956, the inc/csv.php file was removed entirely.

To address CVE-2024-27954, a nonce check was introduced, requiring a value only obtainable by privileged users, alongside a validation check on the $link variable.

These measures aim to secure the plugin against unauthorized SQL executions and file downloads.

FofaBot recently tweeted about a critical update to the WordPress Automatic plugin.

The discovery of these vulnerabilities underscores the critical need for rigorous security measures in plugin development, especially those that involve SQL query execution and URL fetching capabilities.

Developers are advised to avoid providing full-scale SQL query features, even to high-privilege users, and to implement permission and nonce checks for URL fetching actions.

For enhanced security, it is recommended that users fetch URLs using WordPress’s wp_safe_remote_* functions.

This incident serves as a reminder of the ever-present risks in the digital landscape and the importance of maintaining up-to-date security practices to protect against potential cyber threats.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

SpyCloud Embeds Identity Analytics in Cybercrime Investigations Solution to Accelerate Insider and Supply Chain Risk Analysis & Threat Actor Attribution

IDLink, SpyCloud’s new automated digital identity correlation capability, is now core to its industry-leading...

Abusix and Red Sift Form New Partnership, Leveraging Automation to Mitigate Cyber Attacks

The agreement has marked over 600,000 fraudulent domains for takedown in just two months...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Hackers Exploiting Zero-day Flaw in Qualcomm Chips to Attack Android Users

Hackers exploit a zero-day vulnerability found in Qualcomm chipsets, potentially affecting millions worldwide.The flaw,...

Foxit PDF Reader Vulnerability Let Attackers Execute Arbitary Code

Researchers recently disclosed six new security vulnerabilities across various software, as one critical vulnerability...