What is CVE-2024-27956?

An unauthenticated SQL-injection in the WP Automatic plugin (versions earlier than 3.92.1). The vulnerable code path was a CSV import handler that passed user-supplied data directly into a SQL query. Disclosed March 2024; mass exploitation began within days.

What did attackers do with the SQLi?

The most common pattern was: inject SQL to add a new administrator user with a known password, log in, install a backdoor plugin or drop a web shell. WP Automatic's heavy install base on auto-blogging sites meant many of those sites were already neglected.

Why was it so heavily exploited?

WP Automatic is a paid plugin distributed widely through code-marketplace and license-leak channels. Many installs were on un-monitored auto-blogging sites whose owners never noticed when patches landed. The combination of unauthenticated SQLi, instant admin creation, and a stale audience produced one of the loudest WordPress mass-exploitation events of 2024.

I updated to 3.92.1 the day it came out. Am I clean?

Possibly — but you still need to check for indicators. The exploit window was narrow on paper but very dense in practice. I routinely see sites that updated within 48 hours but were already compromised.

CVE-2024-27956 · Unauth SQLi · mass-exploited

WP Automatic SQL injection cleanup.

An unauthenticated SQL injection in WP Automatic let attackers create administrators and plant backdoors at scale in March 2024. If your site ran an affected version, treat it as compromised. I clean it manually. Flat $279.

Start a cleanup About the bug

What the bug was

Unauthenticated SQLi in a CSV import handler.

WP Automatic exposed an endpoint that accepted CSV-formatted data and passed user-supplied fields into the WordPress database without sanitisation. Any unauthenticated visitor could craft a request that ran arbitrary SQL. Affected versions: prior to 3.92.1. Disclosed March 13, 2024.

Standard attack pattern: insert a row into wp_users with a known password hash; insert a matching wp_usermeta row granting the administrator role; log in; install a backdoor plugin or write a web shell.

Indicators

What I look at.

Access log
POSTs to wp-content/plugins/wp-automatic/csv.php from external IPs. Typically dozens to hundreds of requests, sometimes from the same handful of IPs over weeks.
Users
Administrators created since March 2024 you don't recognise. Common patterns: usernames like 'admin', 'wpadmin', 'user' with throwaway emails.
Plugins
Plugins installed by the new admin user — file-manager-style plugins, fake security plugins, or anything you didn't install yourself.
Web shells
Fresh PHP in wp-content/uploads/ and any non-plugin location. The CSV.php endpoint was also abused to write shells directly.

Pricing

Cleanup

$279

flat, one-time, per site

Manual cleanup, entry-vector identification, written forensic report.

Start a cleanup

Monitoring

$29 / mo

per site, cancel any time

Continuous monitoring, hardening, one cleanup per year included.

Get protected

Part of threatover's broader security practice. Penetration testing, bug bounty consulting, triage, and security advisory.

See all services →

Email [email protected] or use the contact form.