WP Automatic WordPress plugin hit by millions of SQL injection attacks

2024-04-25 14:27

Hackers have started to target a critical severity vulnerability in the WP Automatic plugin for WordPress to create user accounts with administrative privileges and to plant backdoors for long-term access.

Currently installed on more than 30,000 websites, WP Automatic lets administrators automate content importing from various online sources and publishing on their WordPress site.

The exploited vulnerability is identified as as CVE-2024-27956 and received a severity score of 9.9/10. It was disclosed publicly by researchers at PatchStack vulnerability mitigation service on March 13 and described as an SQL injection issue that impacts affecting WP Automatic versions before 3.9.2.0.

To mitigate the risk of being breached, researchers recommend WordPress site administrators to update the WP Automatic plugin to version 3.92.1 or later.

Critical Forminator plugin flaw impacts over 300k WordPress sites.

Hackers exploit WordPress plugin flaw to infect 3,300 sites with malware.

News URL

https://www.bleepingcomputer.com/news/security/wp-automatic-wordpress-plugin-hit-by-millions-of-sql-injection-attacks/

#attack #SQL #wordpress #CVE-2024-27956

Related Vulnerability

DATE	CVE	VULNERABILITY TITLE	RISK
2024-03-21	CVE-2024-27956	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ValvePress Automatic allows SQL Injection.This issue affects Automatic: from n/a through 3.92.0. CWE-89	0.0

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Wordpress		49	36	409	104	29	578
Plugin		2	0	13	0	0	13