WordPress website owners beware! Security researchers have uncovered a critical vulnerability in a widely used plugin that could allow hackers to completely take over websites.
The targeted plugin, WP-Automatic, is designed to automate content import and publishing from various sources. According to Patchstack, a WordPress security firm, the vulnerability is a type of SQL injection (SQLi) flaw. SQLi attacks exploit weaknesses in how a website interacts with its database, potentially allowing unauthorized access and control.
The severity of the situation is underscored by the number of potentially affected websites. Reports indicate that WP-Automatic boasts over five million active installations.
“Hackers could leverage this flaw to gain unauthorized access to websites, create admin accounts, upload malicious files, and essentially take full control of the affected sites,” warns the WPScan alert.
Researchers have traced the vulnerability back to mid-March 2024. WPScan assigned the flaw a critical rating of 9.9 and assigned it the identifier CVE-2024-27956.
There are also reports of the vulnerability being actively exploited in the wild, with over five million attempted attacks documented so far.
What You Can Do:
If you use the WP-Automatic plugin on your WordPress website, here’s how to protect yourself:
- Update Immediately: The developers of WP-Automatic have released a patched version (3.9.2.1) that addresses the vulnerability. Update your plugin as soon as possible.
- Scan for Backdoors: Even if you update now, it’s crucial to scan your website for any malicious files or backdoors that hackers might have installed during the exploitation window. Security plugins or website security professionals can help with this.
- Change Passwords: As an additional precaution, consider changing your WordPress login credentials and any passwords associated with accounts linked to the WP-Automatic plugin.
By following these steps, you can significantly reduce the risk of your website being compromised by this critical vulnerability.
This incident highlights the importance of keeping WordPress plugins and themes updated to address security vulnerabilities promptly. It’s also a good reminder to back up your website regularly so you can restore it in case of a security breach.