CVE-2024-27954
published 2024-05-17CVE-2024-27954: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WP Automatic Automatic allows Path Traversal, Server Side…
PriorityP191critical9.3CVSS 3.1
AVNACLPRNUINSCCHILAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
72.95%
99.4th percentile
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WP Automatic Automatic allows Path Traversal, Server Side Request Forgery.This issue affects Automatic: from n/a through 3.92.0.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wp_automatic | automatic | n/a – 3.92.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
path/wp-content/plugins/wp-automatic/downloader.php
url/?p=3232&wp_automatic=download&link=file:///etc/passwd
path/wp-content/plugins/wp-automatic/
commandwp_automatic=download&link=file://
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS WordPress Plugin wp-automatic Server-Side Request Forgery (CVE-2024-27954)"; flow:established,to_server; http.uri; content:"/wp-content/plugins/wp-automatic/"; fast_pattern; http.request_body; content:"q|3d|"; pcre:"/^(?:(?:S(?:HOW\x20(?:C(?:UR(?:DAT|TIM)E|HARACTER\x20SET)|(?:VARI|T)ABLES)|ELECT\x20(?:FROM|USER))|U(?:NION\x20SELEC|PDATE\x20SE)T|DELETE\x20FROM|INSERT\x20INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\x2f\*.+\*\x2f)/Ri"; reference:url,github.com/gh-ost00/CVE-2024-27954; reference:cve,2024-27954; classtype:web-application-attack; sid:2061306; rev:1;)
- →Match HTTP response body for the JSON key '"link":"file:' to identify successful exploitation of the arbitrary file download endpoint.
- →Match HTTP response body for the regex pattern 'root:.*:0:0:' to confirm /etc/passwd exfiltration via the SSRF/path-traversal endpoint.
- →Inspect HTTP request body for the parameter 'q=' (encoded as 'q|3d|') combined with SQL-like keywords (SELECT, UNION, INSERT, DELETE, SHOW) when the URI contains '/wp-content/plugins/wp-automatic/' — indicates SQLi chained with SSRF exploitation.
- →Unauthenticated GET requests to the plugin's downloader.php with a 'link=file://' parameter should be alerted on as exploitation attempts requiring no authentication.
- →Use the publicwww fingerprint query '/wp-content/plugins/wp-automatic' to identify exposed WordPress instances running the vulnerable plugin.
- ·The vulnerability is exploitable without authentication; no session or credentials are required to trigger the arbitrary file download or SSRF via the downloader.php endpoint.
- ·The Snort/ET rule targets the request body parameter 'q=' for SQL injection patterns; detections relying solely on the URI path may miss variants that use the body-based injection vector.
- ·The vulnerability affects all versions of the WP Automatic plugin from n/a through 3.92.0; version 3.92.1 is the first patched release. ↗
CVSS provenance
nvdv3.19.3CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cjr8-gj3h-wpfp: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WP Automatic Automatic allows Path Traversal, Server S
ghsa_unreviewed·2024-05-17
CVE-2024-27954 [CRITICAL] CWE-22 GHSA-cjr8-gj3h-wpfp: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WP Automatic Automatic allows Path Traversal, Server S
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WP Automatic Automatic allows Path Traversal, Server Side Request Forgery.This issue affects Automatic: from n/a through 3.92.0.
VulnCheck
Automatic <= 3.92.0 - Unauthenticated Arbitrary File Download and Server-Side Request Forgery
vulncheck·2024·CVSS 9.3
CVE-2024-27954 [CRITICAL] Automatic <= 3.92.0 - Unauthenticated Arbitrary File Download and Server-Side Request Forgery
Automatic <= 3.92.0 - Unauthenticated Arbitrary File Download and Server-Side Request Forgery
The WordPress Automatic Plugin plugin for WordPress is vulnerable to Server-Side Request Forgery and Arbitrary File Downloads in all versions up to, and including, 3.92.0. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services in addition to accessing arbitrary files on the server that may contain sensitive information.
Affected: WordPress WordPress Automatic Plugin
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: ht
Suricata
ET WEB_SPECIFIC_APPS WordPress Plugin wp-automatic Server-Side Request Forgery (CVE-2024-27954)
suricata·2025-04-04·CVSS 9.3
CVE-2024-27954 [CRITICAL] ET WEB_SPECIFIC_APPS WordPress Plugin wp-automatic Server-Side Request Forgery (CVE-2024-27954)
ET WEB_SPECIFIC_APPS WordPress Plugin wp-automatic Server-Side Request Forgery (CVE-2024-27954)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS WordPress Plugin wp-automatic Server-Side Request Forgery (CVE-2024-27954)"; flow:established,to_server; http.uri; content:"/wp-content/plugins/wp-automatic/"; fast_pattern; http.request_body; content:"q|3d|"; pcre:"/^(?:(?:S(?:HOW\x20(?:C(?:UR(?:DAT|TIM)E|HARACTER\x20SET)|(?:VARI|T)ABLES)|ELECT\x20(?:FROM|USER))|U(?:NION\x20SELEC|PDATE\x20SE)T|DELETE\x20FROM|INSERT\x20INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\x2f\*.+\*\x2f)/Ri"; reference:url,github.com/gh-ost00/CVE-2024-27954; reference:cve,2024-27954; classtype:w
Nuclei
WordPress Automatic Plugin <3.92.1 - Arbitrary File Download and SSRF
nuclei·CVSS 9.3
CVE-2024-27954 [CRITICAL] WordPress Automatic Plugin <3.92.1 - Arbitrary File Download and SSRF
WordPress Automatic Plugin <3.92.1 - Arbitrary File Download and SSRF
WordPress Automatic plugin <3.92.1 is vulnerable to unauthenticated Arbitrary File Download and SSRF Located in the downloader.php file, could permit attackers to download any file from a site. Sensitive data, including login credentials and backup files, could fall into the wrong hands. This vulnerability has been patched in version 3.92.1.
Template:
id: CVE-2024-27954
info:
name: WordPress Automatic Plugin <3.92.1 - Arbitrary File Download and SSRF
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
WordPress Automatic plugin <3.92.1 is vulnerable to unauthenticated Arbitrary File Download and SSRF Located in the downloader.php file, could permit attackers to download any file from a site. Sen
Greynoiseio
NoiseLetter October 2025
blogs_greynoiseio
NoiseLetter October 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
NoiseLetter April 2024
blogs_greynoiseio
NoiseLetter April 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://patchstack.com/database/vulnerability/wp-automatic/wordpress-automatic-plugin-3-92-0-unauthenticated-arbitrary-file-download-and-ssrf-vulnerability?_s_id=cvehttps://patchstack.com/database/vulnerability/wp-automatic/wordpress-automatic-plugin-3-92-0-unauthenticated-arbitrary-file-download-and-ssrf-vulnerability?_s_id=cve
2024-05-17
Published
Exploited in the wild