WordPress Plugin Flaw Exposes 40,000+ Websites to Cyber Attack

A popular WordPress plugin, Automatic (premium version), developed by ValvePress, has been found to harbor critical security vulnerabilities that put over 40,000 websites at risk.

This plugin, known for its capability to create posts from various sources, including YouTube, Twitter, and virtually any website through scraping modules, has been identified as a gateway for potential cyber-attacks due to these flaws.

Unauthenticated Arbitrary SQL Execution – CVE-2024-27956

The first of the two vulnerabilities, CVE-2024-27956, allows unauthenticated users to execute arbitrary SQL queries on the affected WordPress sites.

This flaw was found in the inc/csv.php file, where an arbitrary SQL query could be supplied to the $q variable and executed.

Document

Free Webinar : Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities. :

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

AcuRisQ, that helps you to quantify risk accurately:

Despite checks involving user password trimming and MD5 hashing, attackers could bypass these by simply supplying a whitespace character, enabling full-scale SQL query execution.

Unauthenticated Arbitrary File Download and SSRF – CVE-2024-27954

The second vulnerability, CVE-2024-27954, pertains to arbitrary file downloads and Server-Side Request Forgery (SSRF) attacks.

This flaw in the downloader.php file allows attackers to fetch arbitrary URLs or local files using the $_GET[‘link’] parameter.

Initially, this could be exploited without any authentication, posing a significant risk to the integrity and confidentiality of the WordPress site data.

PatchStack has recently published a technical article highlighting the critical vulnerabilities fixed in the latest version of WordPress Automatic Plugin through security patches.

The Patch

In response to these vulnerabilities, ValvePress has issued updates to mitigate the risks. For CVE-2024-27956, the inc/csv.php file was removed entirely.

To address CVE-2024-27954, a nonce check was introduced, requiring a value only obtainable by privileged users, alongside a validation check on the $link variable.

These measures aim to secure the plugin against unauthorized SQL executions and file downloads.

FofaBot recently tweeted about a critical update to the WordPress Automatic plugin.

The discovery of these vulnerabilities underscores the critical need for rigorous security measures in plugin development, especially those that involve SQL query execution and URL fetching capabilities.

Developers are advised to avoid providing full-scale SQL query features, even to high-privilege users, and to implement permission and nonce checks for URL fetching actions.

For enhanced security, it is recommended that users fetch URLs using WordPress’s wp_safe_remote_* functions.

This incident serves as a reminder of the ever-present risks in the digital landscape and the importance of maintaining up-to-date security practices to protect against potential cyber threats.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges in Organizational Environments

A startling discovery by BeyondTrust researchers has unveiled a critical vulnerability in Microsoft Entra ID…

18 hours ago

Threat Actors Exploit Google Apps Script to Host Phishing Sites

The Cofense Phishing Defense Center has uncovered a highly strategic phishing campaign that leverages Google…

19 hours ago

Dadsec Hacker Group Uses Tycoon2FA Infrastructure to Steal Office365 Credentials

Cybersecurity researchers from Trustwave’s Threat Intelligence Team have uncovered a large-scale phishing campaign orchestrated by…

20 hours ago

Beware: Weaponized AI Tool Installers Infect Devices with Ransomware

Cisco Talos has uncovered a series of malicious threats masquerading as legitimate AI tool installers,…

20 hours ago

Pure Crypter Uses Multiple Evasion Methods to Bypass Windows 11 24H2 Security Features

Pure Crypter, a well-known malware-as-a-service (MaaS) loader, has been recognized as a crucial tool for…

21 hours ago

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges

A recent discovery by security researchers at BeyondTrust has revealed a critical, yet by-design, security…

21 hours ago