Hackers Exploiting WP-Automatic Plugin Bug to Create Admin Accounts on WordPress Sites

WPScan and Patchstack report active exploitation of CVE-2024-27956 — a critical SQL injection (CVSS 9.9) in the WP-Automatic/ValvePress WordPress plugin (versions prior to 3.92.0) — that enables attackers to run arbitrary SQL, create admin users, upload files, rename the vulnerable /wp-content/plugins/wp-automatic/inc/csv.php file (e.g., csv65f82ab408b3.php), deploy backdoors, and potentially fully compromise sites; Patchstack observed over 5.5 million attack attempts since public disclosure.