cbcvebase.
CVE-2024-27956
published 2024-03-21

CVE-2024-27956: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ValvePress Automatic allows SQL Injection.This issue…

PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
93.97%
99.8th percentile
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ValvePress Automatic allows SQL Injection.This issue affects Automatic: from n/a through 3.92.0.

Affected

2 ranges
VendorProductVersion rangeFixed in
valvepressautomatic<= 3.92.0
valvepressautomaticn/a – 3.92.0

Detection & IOCsextracted from sources · hover to see the quote

filenameweb.php
filenameindex.php
url{{BaseURL}}/?p=3232&wp_automatic=download&link=file:///etc/passwd
path/wp-content/plugins/wp-automatic
path/downloader.php
  • Look for newly created WordPress administrator accounts whose username begins with 'xtw' — this is a strong indicator of post-exploitation account creation via CVE-2024-27956.
  • Detect HTTP requests containing the query parameter 'wp_automatic=download' combined with a 'link=file://' scheme, indicating exploitation of the arbitrary file download/SSRF vector.
  • Alert on HTTP responses with Content-Type 'application/csv' that also contain the body strings 'DATE', 'ACTION', and 'KEYWORD' — this matches the nuclei template detection logic for the vulnerable csv endpoint.
  • After gaining admin access, attackers install additional plugins that allow file uploads and code editing — monitor for unexpected plugin installations following any suspicious admin account creation.
  • The Metasploit module hashes the newly created malicious administrator account password using MD5 — look for new WordPress user records with MD5-hashed passwords in the database as a post-exploitation indicator.
  • ·The vulnerability affects WP Automatic plugin versions before 3.92.1 (NVD lists 'through 3.92.0'). Ensure version checks account for this boundary — versions 3.92.0 and below are vulnerable.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.9CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.