40,000+ Sites Exposed: WordPress Plugin Update Critical – CVE-2024-27956 & CVE-2024-27954
A recent security advisory from Patchstack reveals that the Automatic plugin (premium version), a popular choice for automating content imports on WordPress websites, contains two dangerous vulnerabilities (CVE-2024-27956 and CVE-2024-27954). With over 40,000 active installations, the risks are widespread and immediate.
The first of these vulnerabilities, identified as CVE-2024-27956 with a CVSS score of 9.9, enables Unauthenticated Arbitrary SQL Execution. This flaw, found in the inc/csv.php file, was unearthed by Rafie Muhammad of Patchstack. It allows malicious actors unfettered access to manipulate SQL queries, opening the door to data theft among other nefarious activities. This issue has been resolved in version 3.92.1 of the plugin.
The second vulnerability, CVE-2024-27954 with a CVSS score of 9.3, pertains to Unauthenticated Arbitrary File Download and SSRF. Located in the downloader.php file, this vulnerability also discovered by Rafie Muhammad, could permit attackers to download any file from a site. Sensitive data, including login credentials and backup files, could fall into the wrong hands. Thankfully, this vulnerability too has been patched in version 3.92.1.
The emergence of these vulnerabilities underscores the critical need for comprehensive security measures in plugin development, particularly those that interact directly with SQL databases or fetch URLs. Patchstack’s analysis and recommendations highlight the importance of imposing strict controls on SQL query execution features and URL fetch processes. Even high-privilege users, such as administrators, should not have the capability to execute full-scale SQL queries without checks and balances. Similarly, URL fetching should be safeguarded with permissions, nonce checks, and limitations on the supplied URLs. Employing functions like wp_safe_remote_* for fetching URLs can further fortify the plugin against unauthorized access.
Hackers are constantly scanning for vulnerable plugins. Staying informed and taking swift action is the best defense for the security of your website and your visitors.
