Name of the Vulnerable Software and Affected Versions:

ValvePress Automatic versions prior to 3.92.1

Description:

The issue is related to an SQL Injection vulnerability in the ValvePress Automatic plugin, which allows attackers to execute arbitrary SQL commands. This can lead to the creation of new administrator accounts, backdoor installations, and potentially full control over affected sites. The vulnerability is being actively exploited, with over 5.5 million attempts reported. It affects versions prior to 3.92.1.

Recommendations:

For versions prior to 3.92.1, update to version 3.92.1 to secure your site.

As a temporary workaround, consider disabling the `wp-automatic` plugin until a patch is available.

Restrict access to the vulnerable `inc/csv.php` file to minimize the risk of exploitation.

Avoid using the `q` parameter in the affected API endpoint until the issue is resolved.