Critical WordPress Automatic Plugin Vulnerability Hits by Millions of Attacks

1 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 5 (1 votes, average: 5.00 out of 5, rated)
WP Automatic Plugin Vulnerability

WordPress security scanner WPScan alerts users that threat actors inject malicious code onto websites using a critical severity vulnerability in the WordPress Automatic plugin.

Attackers started to focus on a critical severity vulnerability in the WordPress plugin WP Automatic, which allows them to deploy backdoors for permanent access and create user accounts with administrative privileges.

This vulnerability is significant since attackers can control compromised websites, create admin-level user accounts, share malicious files, and access websites without authorization.

Administrators can automate importing content (text, photos, and video) from several online sources and publish it on their WordPress website with WP Automatic, currently deployed on over 30,000 websites.

The exploited vulnerability has a severity level of 9.9/10, known as CVE-2024-27956.

Since March 13, 2024, when PatchStack made the vulnerability public, attackers have started to focus on WordPress websites to establish user accounts with administrative capabilities and install backdoors for permanent access.

There is a flaw in the plugin’s user authentication system that allows SQL queries to be submitted to the site’s database without authorization. Hackers can utilize specially constructed queries to create administrator accounts on the target website.

Over 5.5 Million Attacks were Recorded

Automattic’s WPScan detected more than 5.5 million attempts to exploit the vulnerability; most of these attacks were noted on March 31.

According to WPScan’s study, “Once a WordPress site is compromised, attackers ensure the longevity of their access by creating backdoors and obfuscating the code.”

The hackers additionally rename the vulnerable file to “csv.php” to evade finding and prevent other hackers from accessing the website by taking advantage of the same vulnerability. 

The threat actor usually installs additional plugins that enable file uploading and code editing once they take over the website.


Admins can use WPScan’s set of indicators of compromise to determine whether their website has been compromised. 

Administrators can look for files with the names web.php and index.php, which are the backdoors planted in the most recent campaign, and the presence of an admin account beginning with “xtw” to see if there are any indications that hackers have taken over the website. 

Researchers advise WordPress site administrators to update the WP Automatic plugin to version 3.92.1 or higher to reduce the possibility of a compromise.

Website owners are also advised by WPScan to regularly generate backups of their sites so that, in case of a compromise, they can immediately install clean copies.

Get Certera’s WordPress Support Service and Protect your Website from All Kinds of Vulnerabilities and Attacks.

Janki Mehta

Janki Mehta

Janki Mehta is a passionate Cyber-Security Enthusiast who keenly monitors the latest developments in the Web/Cyber Security industry. She puts her knowledge into practice and helps web users by arming them with the necessary security measures to stay safe in the digital world.