CVE-2024-27956

Name of the Vulnerable Software and Affected Versions ValvePress Automatic versions prior to 3.92.1

Description The issue is related to an SQL Injection vulnerability that allows attackers to execute arbitrary SQL commands. This can lead to site takeovers and malicious activities. The vulnerability is being actively exploited, with over 5.5 million attack attempts reported. The q variable is passed directly into a $wpdb->get results() call, allowing attackers to execute SQL commands directly. For example, an attacker can add a new WordPress user by executing an INSERT INTO query, or give a user admin rights by modifying the wp usermeta table.

Recommendations To resolve the issue, update ValvePress Automatic to version 3.92.1 or later. As a temporary workaround, consider disabling the vulnerable inc/csv.php file or restricting access to it until a patch is available. Additionally, restrict access to the wp-automatic plugin to minimize the risk of exploitation. Avoid using the q variable in the affected API endpoint until the issue is resolved.