April 26, 2024: WordPress Automatic plugin vulnerability exploited for site takeovers CVE-2024-27956
• 300+ publicly-exposed hosts running WordPress Automatic by ValvePress
Top affected countries:
1. US
2. Germany
3. France
4. Netherlands
5. UK
Summary
Censys is aware that on March 21, 2024, a vulnerability in WordPress plugin Automatic by ValvePress – CVE-2024-27956 – that could allow WordPress website takeovers, was published. It has recently been reported that this flaw is currently being exploited by attackers. The issue allows for trivial SQL injection attacks against the plugin’s user authentication process.
Asset Description
WordPress Automatic Plugin by ValvePress, “posts from almost any website to WordPress automatically.” WordPress plugins are usually 3rd party-developed applications that can be applied to a customer’s WordPress site with minimal to no coding. Such applications require various, and many times deep, accesses to website functionality. Such access can and is often used by attackers when vulnerabilities exist within these 3rd party plugins.
Impact
Progress Flowmon “is used by more than 1,500 companies around the world, including SEGA, KIA, and TDK, Volkswagen….”(Bleepingcomputer).
Potential Consequences of Successful Exploitation
According to WPScan “attackers can exploit it [vulnerability] to gain unauthorized access to websites, create admin‑level user accounts, upload malicious files, and potentially take full control of affected sites.” It should be noted that WordPress is often time used as a sole source of online presence and revenue for medium and small businesses; compromises of these sites could be catastrophic for such businesses.
Affected Assets
According to the NVD, this issue affects all versions through 3.92.0.
Censys’ Rapid Response Team was able to identify WordPress Automatic plugin installations on publicly accessible WordPress Servers detected by our scanners. Due to the nature of the plugin, version information is not available and certain configurations might remain hidden due to non-public indexing of webpages, therefore our scans may not capture all unique setups of this plugin.
Censys ASM Query for Exposed Assets.
This query is shared for customers who wish to refine or alter versioning for customized operations.
Censys Search Queries
are shared directly with Censys customers. If you would like to obtain the Censys query to identify global instances related to this issue, or need help, please contact us.
from WPScan state that owners of these assets should:
– “Ensure that the WP‑Automatic plugin is updated to the latest version.”
– Review/audit user accounts to identify and remove any suspicious users or admins.
– Use WordPress security tools.
– Backup website data.
– Watch for Indicators of Compromise including:
— admin user names starting with “xtw”
— The vulnerable file
“/wp‑content/plugins/wp‑automatic/inc/csv.php” renamed to something as “/wp‑content/plugins/wp‑automatic/inc/csv65f82ab408b3.php”
–The following SHA1 hashed files dropped in your site’s filesystem:
b0ca85463fe805ffdf809206771719dc571eb052 web.php
8e83c42ffd3c5a88b2b2853ff931164ebce1c0f3 index.php