Security News > 2024 > April > WP Automatic WordPress plugin hit by millions of SQL injection attacks
Hackers have started to target a critical severity vulnerability in the WP Automatic plugin for WordPress to create user accounts with administrative privileges and to plant backdoors for long-term access.
Currently installed on more than 30,000 websites, WP Automatic lets administrators automate content importing from various online sources and publishing on their WordPress site.
The exploited vulnerability is identified as as CVE-2024-27956 and received a severity score of 9.9/10. It was disclosed publicly by researchers at PatchStack vulnerability mitigation service on March 13 and described as an SQL injection issue that impacts affecting WP Automatic versions before 3.9.2.0.
To mitigate the risk of being breached, researchers recommend WordPress site administrators to update the WP Automatic plugin to version 3.92.1 or later.
Critical Forminator plugin flaw impacts over 300k WordPress sites.
Hackers exploit WordPress plugin flaw to infect 3,300 sites with malware.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-03-21 | CVE-2024-27956 | Unspecified vulnerability in Valvepress Automatic Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ValvePress Automatic allows SQL Injection.This issue affects Automatic: from n/a through 3.92.0. | 9.8 |