Last month, security researchers at PatchStack discovered a critical SQL injection (SQLi) vulnerability in the WP Automatic plugin for WordPress.

This vulnerability poses a severe threat as attackers can exploit it to gain unauthorized access to websites, create admin‑level user accounts, upload malicious files, and potentially take full control of affected sites.

The vulnerability was publicly disclosed by PatchStack on March 13, 2024, and since then attackers have started to target WordPress sites to create user accounts with administrative privileges and plant backdoors for long-term access.

Automattic’s WPScan observed more than 5.5 million attacks trying to leverage the vulnerability, most of them being recorded on March 31st.

Buy Me A Coffee

WPScan reports that after obtaining admin access to the target website, attackers create backdoors and obfuscate the code to make it more difficult to find.

“Once a WordPress site is compromised, attackers ensure the longevity of their access by creating backdoors and obfuscating the code,” reads WPScan’s report.

To prevent other hackers from compromising the website by exploiting the same issue and to avoid detection, the hackers also rename the vulnerable file “csv.php.”

Once they get control of the website, the threat actor often installs additional plugins that allow uploading files and code editing.

The exploited vulnerability is identified as CVE-2024-27956 and received a severity score of 9.9/10.

READ
Law Enforcement Strikes LockBit Ransomware Network with Arrests and Sanctions