cbcvebase.
CVE-2024-27954
published 2024-05-17

CVE-2024-27954: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WP Automatic Automatic allows Path Traversal, Server Side…

PriorityP191critical9.3CVSS 3.1
AVNACLPRNUINSCCHILAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
72.95%
99.4th percentile
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WP Automatic Automatic allows Path Traversal, Server Side Request Forgery.This issue affects Automatic: from n/a through 3.92.0.

Affected

1 ranges
VendorProductVersion rangeFixed in
wp_automaticautomaticn/a – 3.92.0

Detection & IOCsextracted from sources · hover to see the quote

path/wp-content/plugins/wp-automatic/downloader.php
url/?p=3232&wp_automatic=download&link=file:///etc/passwd
path/wp-content/plugins/wp-automatic/
commandwp_automatic=download&link=file://
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS WordPress Plugin wp-automatic Server-Side Request Forgery (CVE-2024-27954)"; flow:established,to_server; http.uri; content:"/wp-content/plugins/wp-automatic/"; fast_pattern; http.request_body; content:"q|3d|"; pcre:"/^(?:(?:S(?:HOW\x20(?:C(?:UR(?:DAT|TIM)E|HARACTER\x20SET)|(?:VARI|T)ABLES)|ELECT\x20(?:FROM|USER))|U(?:NION\x20SELEC|PDATE\x20SE)T|DELETE\x20FROM|INSERT\x20INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\x2f\*.+\*\x2f)/Ri"; reference:url,github.com/gh-ost00/CVE-2024-27954; reference:cve,2024-27954; classtype:web-application-attack; sid:2061306; rev:1;)
  • Match HTTP response body for the JSON key '"link":"file:' to identify successful exploitation of the arbitrary file download endpoint.
  • Match HTTP response body for the regex pattern 'root:.*:0:0:' to confirm /etc/passwd exfiltration via the SSRF/path-traversal endpoint.
  • Inspect HTTP request body for the parameter 'q=' (encoded as 'q|3d|') combined with SQL-like keywords (SELECT, UNION, INSERT, DELETE, SHOW) when the URI contains '/wp-content/plugins/wp-automatic/' — indicates SQLi chained with SSRF exploitation.
  • Unauthenticated GET requests to the plugin's downloader.php with a 'link=file://' parameter should be alerted on as exploitation attempts requiring no authentication.
  • Use the publicwww fingerprint query '/wp-content/plugins/wp-automatic' to identify exposed WordPress instances running the vulnerable plugin.
  • ·The vulnerability is exploitable without authentication; no session or credentials are required to trigger the arbitrary file download or SSRF via the downloader.php endpoint.
  • ·The Snort/ET rule targets the request body parameter 'q=' for SQL injection patterns; detections relying solely on the URI path may miss variants that use the body-based injection vector.
  • ·The vulnerability affects all versions of the WP Automatic plugin from n/a through 3.92.0; version 3.92.1 is the first patched release.

CVSS provenance

nvdv3.19.3CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.