Hackers carefully hide the traces of an attack and prevent competition.
Cybercriminals have started exploiting a critical vulnerability in the WP Automatic plugin for WordPress, which allows you to create accounts with administrative privileges and install backdoors for long-term access.
The WP Automatic plugin, installed on more than 30,000 sites, allows administrators to automate the import of content (texts, images, videos) from various sources for publishing on a WordPress site.
The SQL injection vulnerability CVE-2024-27956 (CVSS score: 9.9) affects versions of WP Automatic up to 3.9.2.0. The bug was made public on March 13 by PatchStack researchers. She
The problem lies in the plugin's user authentication mechanism, which can be bypassed to send SQL queries to the site's database. Attackers use specially prepared requests to create administrator accounts on the target site.
Since the release of the vulnerability, Automattic's WPScan service has recorded more than 5.5 million attack attempts, most of which occurred on March 31.
After gaining administrative access to the site, attackers create backdoors and obfuscate the code to make it harder to detect. To prevent other hackers from accessing the site through the same vulnerability and to avoid detection, attackers also rename the vulnerable file to "csv.php".
When establishing control over a site, cybercriminals often install additional plugins that allow you to upload files and edit code.
WPScan provides a number of Compromise Indicators (IoC) that can help administrators determine if their site has been compromised. These attributes include the presence of an administrator account that starts with " xtw " and files called web.php and index.php which are backdoors installed during a recent campaign.
To minimize the risk of hacking, the researchers recommend that WordPress site administrators update the WP Automatic plugin to version 3.92.1 or later. We also recommend that you regularly back up your site so that if it is compromised, you can quickly restore it from the copy.
Cybercriminals have started exploiting a critical vulnerability in the WP Automatic plugin for WordPress, which allows you to create accounts with administrative privileges and install backdoors for long-term access.
The WP Automatic plugin, installed on more than 30,000 sites, allows administrators to automate the import of content (texts, images, videos) from various sources for publishing on a WordPress site.
The SQL injection vulnerability CVE-2024-27956 (CVSS score: 9.9) affects versions of WP Automatic up to 3.9.2.0. The bug was made public on March 13 by PatchStack researchers. She
The problem lies in the plugin's user authentication mechanism, which can be bypassed to send SQL queries to the site's database. Attackers use specially prepared requests to create administrator accounts on the target site.
Since the release of the vulnerability, Automattic's WPScan service has recorded more than 5.5 million attack attempts, most of which occurred on March 31.
After gaining administrative access to the site, attackers create backdoors and obfuscate the code to make it harder to detect. To prevent other hackers from accessing the site through the same vulnerability and to avoid detection, attackers also rename the vulnerable file to "csv.php".
When establishing control over a site, cybercriminals often install additional plugins that allow you to upload files and edit code.
WPScan provides a number of Compromise Indicators (IoC) that can help administrators determine if their site has been compromised. These attributes include the presence of an administrator account that starts with " xtw " and files called web.php and index.php which are backdoors installed during a recent campaign.
To minimize the risk of hacking, the researchers recommend that WordPress site administrators update the WP Automatic plugin to version 3.92.1 or later. We also recommend that you regularly back up your site so that if it is compromised, you can quickly restore it from the copy.
