// CVE-2024-27956 · UNAUTH SQLi · MASS-EXPLOITED
WP Automatic SQLi?
We clean it.
An unauthenticated SQL injection in WP Automatic let attackers create administrators and plant backdoors at scale in March 2024. If your site ran an affected version, treat it as compromised. We clean by hand. Flat $279.
§ 01 — WHAT THE BUG WAS
Unauthenticated SQLi in a CSV import handler.
WP Automatic exposed an endpoint that accepted CSV-formatted data and passed user-supplied fields into the WordPress database without sanitisation. Any unauthenticated visitor could craft a request that ran arbitrary SQL. Affected versions: prior to 3.92.1. Disclosed March 13, 2024.
Standard attack pattern: insert a row into wp_users with a known password hash; insert a matching wp_usermeta row granting the administrator role; log in; install a backdoor plugin or write a web shell.
§ 02 — INDICATORS
What we look at.
[ ACCESS LOG ]
POSTs to wp-content/plugins/wp-automatic/csv.php from external IPs. Typically dozens to hundreds of requests, sometimes from the same handful of IPs over weeks.
[ USERS ]
Administrators created since March 2024 you don't recognise. Common patterns: usernames like 'admin', 'wpadmin', 'user' with throwaway emails.
[ PLUGINS ]
Plugins installed by the new admin user — file-manager-style plugins, fake security plugins, or anything you didn't install yourself.
[ WEB SHELLS ]
Fresh PHP in wp-content/uploads/ and any non-plugin location. The CSV.php endpoint was also abused to write shells directly.
§ PRICE
Flat $279. One-time. Per site.
[ RESCUE ]
$279
FLAT · ONE-TIME · PER SITE
Manual cleanup, entry-vector identification, written forensic report. 30-day reinfection guarantee.
Start a cleanup →[ SHIELD ]
$29 / mo
PER SITE · CANCEL ANY TIME
Continuous monitoring, hardening, one cleanup per year included.
Get protected →Site compromised? Let's talk.
Send us what you know. You get a triage and a fixed quote in return — no obligation.