Massive attack detected after Automatic plugin vulnerability for Wordpress
Introduction
Wordpress is, in a very prominent way, the leader in content management systems. Its figures are dazzling, it supports more than 43% of the world's websites with nearly 500 million sites. Taking into account this market dominance, attackers are increasingly interested in finding vulnerabilities to allow in the popular CMS. Typically, and historically, the Wordpress core is relatively secure. They have a strong security team and good development cycle practices.
So how to proceed? The attackers' answer is to look at the weakest link of the platform, in this case its extensibility. Wordpress plugins are components, which can be developed by third parties, to provide a certain functionality, an easier administration, an out-of-the-box newsletter, a rotating image gallery, etc. Wordpress has no less than 70,000 plugins developed and many end users use them to speed up the process of creating the website they want to create. In turn, many plugins are tremendously popular.
There are more than 70,000 Wordpress plugins widely used to streamline website creation.
Will the development processes be as secure as those of the Wordpress base system? The answer is that it depends on those third parties, and as in every family, there is everything. This draws the interest of attackers who scan plugins looking for their gateway to the Wordpress manna. There have been countless occasions when attacks on such plugins have been discovered, with this or this other recent example, with varying impact depending on the popularity of the plugin.
In this article we will discuss a recent vulnerability found in March 2024 in the Automatic plugin that is being actively exploited.
What is the Automatic plugin like, is it popular?
The Automatic wordPress plugin publishes content from almost any website to WordPress automatically. It can import from popular sites like Youtube and X (...Twitter) using its APIs or from almost any website, using its scraping modules. You can even generate content using OpenAI GPT.
Automatic is a plugin developed by ValvePress with more than 38,000 paying customers. Researchers at security firm Patchstack revealed last month that versions 3.92.0 and earlier of the plugin had a vulnerability with a severity rating of 9.9 out of a possible 10.
The plugin's developer, ValvePress, released a patch, which is available in versions 3.92.1 and later and should logically be installed immediately by anyone using this plugin.
The release of the patched version, however, does not explicitly mention the fix for the vulnerability so we could talk about a silent patch. This is not considered a good practice because it does not reflect the criticality of the upgrade to end users.
What vulnerabilities have been found?
The vulnerability (CVE-2024-27956) is a SQL injection that could allow unauthenticated attackers to create administrator accounts and take control of a WordPress site.
This class of vulnerabilities stems from a bug in a web application to properly query databases. SQL syntax uses apostrophes to indicate the beginning and end of a data string. When inserting strings with specially positioned apostrophes into vulnerable fields on the website, attackers can execute specially manipulated SQL statements that perform several sensitive actions: return sensitive data, grant system administrative privileges or more generally abuse the operation of the web application.
The picture for an attacker could not be better. We are talking about unauthenticated access, i.e. it is not necessary to have access to user credentials of the victim Wordpress website, nor administrator or even content creator and allows to create administration accounts, i.e. to become a superuser of the website.
This vulnerability in Wordpress allows you to create administrator accounts and gain full control of the website without being a previous user or administrator.
Is it actively trying to be exploited?
Wordpress security firm WPScan published a post on the exploitation of this vulnerability, where they revealed that they have recorded over 5 million attempts to exploit the vulnerability since its disclosure.
The summary exploitation process would be as follows:
- SQL Injection: Attackers exploit the SQLi vulnerability in the plugin to execute unauthorized database queries.
- Administrator User Creation: Attackers can create new administrator-level user accounts within WordPress with the ability to execute arbitrary SQL queries.
- Malware Upload: Once an admin-level account is created, attackers can upload malicious files to host malware that will later be downloaded by victims, and also typically shells or backdoors to maintain access.
Once a WordPress site is compromised attackers often rename vulnerable files for two main reasons:
- To evade detection and maintain access, i.e., seeking persistence on systems and making it difficult for website owners or security tools to identify or block the problem.
- It can also be a way attackers find to prevent other malicious actors from successfully exploiting their already compromised sites, a bit selfish these attackers, aren't they?
Mitigations
Considering the criticality of this threat, website owners should take immediate steps to protect their WordPress sites.
- Plugin Updates: Ensure that the Automatic plugin is updated to the latest version.
- User Account Review: Review and audit user accounts within WordPress, removing any unauthorized or suspicious admin users.
- Security Monitoring: Employ robust security monitoring tools and services to detect and respond to malicious activity on your website.
Upon any hint of suspicion or even without any if as a website owner you use WordPress with the Automatic plugin you should do a review of the indicators of compromise shared in the WPScan article.
Conclusions
Wordpress's market position for website creation will continue to attract the attention of cybercriminals, now and in the future, so these attacks will continue to occur frequently.
Here are some basic security recommendations if you are a user owning a website managed with Wordpress:
- First of all, think about the need to install plugins, carefully balancing the ability to keep plugins up to date, which is crucial for security, versus the ease of use or functionality they provide.
- Only install actively maintained plugins and review their use periodically to remove those that are not needed.
- Depending on the criticality of the website and the data it hosts, evaluate the need to install specialized continuous security monitoring tools in the cloud as offered by several manufacturers of security products specialized in Wordpress.
Wordpress is probably one of the best and most accessible alternatives for the creation and management of websites, but it is necessary to take care of its security, as any other system accessible from the web.