Urgent Alert: Critical WordPress Plugin Flaw Exposed, Hackers Launch Attacks – Update Now!
April 27, 2024A critical SQL injection vulnerability, identified as CVE-2024-27956, has been found in the WordPress Automatic plugin.
Hackers are actively exploiting this flaw to gain unauthorized site access, create admin accounts, upload malware, and potentially seize full site control.
ValvePress, the plugin's developer, released a security patch in version 3.92.1, but did not highlight the fix in the change log.
Security entities, Patchstack and WPScan, have observed over 5.5 million exploit attempts post-disclosure on March 13.
The vulnerability impacts over 38,000 customers and has a critical severity rating of 9.9, affecting versions up to 3.9.2.0.
WordPress site administrators are advised to update to the latest plugin version immediately to prevent exploitation.
Summary based on 5 sources
Get a daily email with more Tech stories
Sources
Ars Technica • Apr 26, 2024
Hackers try to exploit WordPress vulnerability that’s as severe as it getsTechRadar pro • Apr 26, 2024
Hackers attempt to hijack a major WordPress plugin that could allow for site takeoversThe Hacker News • Apr 26, 2024
Hackers Exploiting WP-Automatic Plugin Bug to Create Admin Accounts on WordPress SitesSecurityWeek • Apr 26, 2024
Critical WordPress Automatic Plugin Vulnerability Exploited to Inject Backdoors