Patch Available, But Release Notes Silent on Fix
Millions of WordPress websites are at risk due to a critical vulnerability in the popular WP Automatic plugin. Researchers have identified a severe flaw (CVE-2024-27956) that allows attackers to completely take over websites.
What is WP Automatic and What Does the Vulnerability Do?
WP Automatic is a plugin used by WordPress sites to import content from other online sources. The vulnerability lies in how the plugin handles user authentication. Attackers can exploit this weakness to bypass the login process and inject malicious code that grants them administrator privileges. With this control, they can upload malware, steal data, or deface the website.
How Widespread is the Attack?
Security researchers at Patchstack first disclosed the vulnerability in March 2024. Since then, millions of exploit attempts have been detected, with the peak occurring at the end of the month. While the exact number of successful attacks remains unknown, the potential for widespread damage is significant.
What Should WordPress Site Owners Do?
- Patch Immediately: Update the WP Automatic plugin to version 3.92.1 or later. This patched version addresses the vulnerability.
- Scan for Signs of Compromise: Carefully analyze your server for any indicators of compromise that might suggest a successful attack. Security firms like WPScan offer tools and resources to help with this process.
Why Weren’t Release Notes Updated?
While a fix was released in version 3.92.1, concerningly, the release notes for this update made no mention of the critical security patch. ValvePress, the developer of WP Automatic, has not yet responded to requests for clarification.
Severity of the Vulnerability
This vulnerability is classified as highly severe (CVSS score: 9.9 out of 10). Regardless of the technical classification (SQL injection vs. improper authorization), it grants attackers complete control of affected websites.
Stay Informed and Protect Your Site
By staying updated on security vulnerabilities and taking recommended actions, WordPress site owners can significantly reduce their risk of attack.