WordPress Plugin Flaw Exposes 40,000+ Websites to Cyber Attack

A popular WordPress plugin, Automatic (premium version), developed by ValvePress, has been found to harbor critical security vulnerabilities that put over 40,000 websites at risk.

This plugin, known for its capability to create posts from various sources, including YouTube, Twitter, and virtually any website through scraping modules, has been identified as a gateway for potential cyber-attacks due to these flaws.

Unauthenticated Arbitrary SQL Execution – CVE-2024-27956

The first of the two vulnerabilities, CVE-2024-27956, allows unauthenticated users to execute arbitrary SQL queries on the affected WordPress sites.

This flaw was found in the inc/csv.php file, where an arbitrary SQL query could be supplied to the $q variable and executed.

Document

Free Webinar : Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities. :

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

AcuRisQ, that helps you to quantify risk accurately:

Despite checks involving user password trimming and MD5 hashing, attackers could bypass these by simply supplying a whitespace character, enabling full-scale SQL query execution.

Unauthenticated Arbitrary File Download and SSRF – CVE-2024-27954

The second vulnerability, CVE-2024-27954, pertains to arbitrary file downloads and Server-Side Request Forgery (SSRF) attacks.

This flaw in the downloader.php file allows attackers to fetch arbitrary URLs or local files using the $_GET[‘link’] parameter.

Initially, this could be exploited without any authentication, posing a significant risk to the integrity and confidentiality of the WordPress site data.

PatchStack has recently published a technical article highlighting the critical vulnerabilities fixed in the latest version of WordPress Automatic Plugin through security patches.

The Patch

In response to these vulnerabilities, ValvePress has issued updates to mitigate the risks. For CVE-2024-27956, the inc/csv.php file was removed entirely.

To address CVE-2024-27954, a nonce check was introduced, requiring a value only obtainable by privileged users, alongside a validation check on the $link variable.

These measures aim to secure the plugin against unauthorized SQL executions and file downloads.

FofaBot recently tweeted about a critical update to the WordPress Automatic plugin.

The discovery of these vulnerabilities underscores the critical need for rigorous security measures in plugin development, especially those that involve SQL query execution and URL fetching capabilities.

Developers are advised to avoid providing full-scale SQL query features, even to high-privilege users, and to implement permission and nonce checks for URL fetching actions.

For enhanced security, it is recommended that users fetch URLs using WordPress’s wp_safe_remote_* functions.

This incident serves as a reminder of the ever-present risks in the digital landscape and the importance of maintaining up-to-date security practices to protect against potential cyber threats.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Secure Ideas Achieves CREST Accreditation and CMMC Level 1 Compliance

Secure Ideas, a premier provider of penetration testing and security consulting services, proudly announces its…

7 hours ago

New Phishing Campaign Targets Investors to Steal Login Credentials

Symantec has recently identified a sophisticated phishing campaign targeting users of Monex Securities (マネックス証券), a…

8 hours ago

UAC-0219 Hackers Leverage WRECKSTEEL PowerShell Stealer to Extract Data from Computers

In a concerning development, CERT-UA, Ukraine's Computer Emergency Response Team, has reported a series of…

8 hours ago

Hunters International Linked to Hive Ransomware in Attacks on Windows, Linux, and ESXi Systems

Hunters International, a ransomware group suspected to be a rebrand of the infamous Hive ransomware,…

8 hours ago

Qilin Operators Imitate ScreenConnect Login Page to Deploy Ransomware and Gain Admin Access

In a recent cyberattack attributed to the Qilin ransomware group, threat actors successfully compromised a…

8 hours ago

Operation HollowQuill Uses Malicious PDFs to Target Academic and Government Networks

A newly uncovered cyber-espionage campaign, dubbed Operation HollowQuill, has been identified as targeting academic, governmental,…

8 hours ago