A new critical vulnerability has been found in a popular WordPress plugin that is being actively used by hackers to potentially take over victims’ websites with admin privileges. A WordPress security firm, Patchstack, first discovered this SQL injection (SQLi) vulnerability in the WP-Automatic plugin in March 2024.
WP-Automatic is a WordPress plugin designed to automate posting on websites by pulling content from different sources. It can grab content from RSS feeds, websites, YouTube channels, and more.
According to a WPScan alert, cybercriminals can use this exploit in the plugin to gain access to WP websites, create admin-level user accounts to upload malicious files, and potentially take full control of the affected sites.
This vulnerability has been given a rating of 9.9, which is a critical-level threat and is tracked as CVE-2024-27956. All versions of the WP Automatic Plugin that are 3.9.3.0 and below are said to be vulnerable and so far, more than five million attempts have been recorded.
According to a statement given by WPScan, “Once a WordPress site is compromised, attackers can make sure that they have long-term access by creating backdoors and obfuscating the code.”
WPScan also stated that “to evade detection and maintain access, attackers may also rename the vulnerable WP‑Automatic file, making it difficult for website owners or security tools to identify or block the issue.”
WordPress is one of the most popular website builder platforms, with more than 40% of sites running on it. WordPress site users are advised to only use legit themes and plugins and keep them updated to avoid such issues.