Over 4,000 WordPress Sites Hacked – All Thanks to Yet Another Plugin Flaw
Ah, WordPress. The engine that powers over 40% of the web and, apparently, half the cybercriminal economy too. In the latest episode of “Why Your Website’s Probably Compromised,” security researchers have uncovered an active exploitation campaign targeting a critical flaw in the WP-Automatic plugin—used by over 30,000 sites. At least 4,000 websites are confirmed compromised, and if history is any guide, that number’s about to spike.
Let’s dig in before the next plugin breaks your site and lets some teenager from a basement in Belarus mine crypto from your contact form.
The Flaw: CVE-2024-27956
This particular cluster fluff is tracked as CVE-2024-27956, and it lets unauthenticated attackers inject malicious code through vulnerable POST requests. That’s right—unauthenticated. No login is required. Just rock up and spray code into your site like it’s a public toilet wall.
This is possible thanks to inadequate input sanitisation in the plugin's processing of user-supplied data.
In plain English: the developers didn’t clean their inputs. It’s the cybersecurity equivalent of serving raw chicken and hoping no one notices.
Exploitation in the Wild: Fast, Widespread, Predictable
Once disclosed by the researchers at WPScan, it took mere days before attackers began scanning the web for exposed instances. According to Infosecurity Magazine, more than 4,000 compromised domains have already been linked to the exploit, including some moderately high-profile blogs and e-commerce sites. Nice.
The malware delivered via this flaw redirects users to dodgy landing pages, injects SEO spam, and in some cases drops backdoors for persistent access.
So yes—you might now be an unwilling SEO agent for a Turkish knockoff handbag store. Congrats.
Why This Keeps Happening: A Brief Rant
Here we go.
1. Plugins Are a Blessing and a Curse
WordPress plugins are like snacks in a petrol station. They're cheap, easy to grab, and you probably don’t check the expiry date before shoving one in. But you should. Some of these plugins are created by solo developers with limited security experience. Some haven’t been updated in years. And some—even popular ones like WP-Automatic—are rushed, bloated, and under-audited.
2. Updates Aren’t Optional
This vulnerability was patched in version 3.9.2.0. And yet thousands of sites remain exposed because website owners don’t update. Why? Sometimes it’s fear of breaking the theme. Sometimes it's laziness. Sometimes it’s “my cousin built this site in 2019 and he’s in Ibiza now.”
If you're not patching, you're not running a website—you're running a public honeypot.
3. No One Monitors Their WordPress Site
Most site owners only realise they’ve been hacked when Google flags them, traffic drops, or customers start complaining about redirects to porn sites. If you’re not monitoring logs, scanning for malware, or running any kind of WAF, you are the low-hanging fruit.
4. Shared Hosting = Shared Hell
Many WordPress sites are deployed on £3.99/mo shared hosting plans where security is an afterthought. If one neighbour on the server gets popped, you might go down too. But sure—let’s save money on hosting while risking our customer data. Sound logic.
What You Should Do (Right Now)
Update the Plugin – If you're using WP-Automatic, upgrade to 3.9.2.0 or later immediately.
Scan Your Site – Use something like Wordfence or Sucuri to detect malware or backdoors.
Check for Redirects – Inspect
.htaccessand index files for strange redirections.Enable Automatic Updates – At least for plugins and minor WordPress versions.
Backups – If you don’t have a clean backup from before the compromise, you’re rebuilding from scratch.
Consider Managed Hosting or a Proper CMS – If this keeps happening, it might be time to rethink your platform altogether.
The Bigger Picture: Is WordPress Still Worth It?
Yes and no.
WordPress is still the king for content and flexibility. But it’s also the cyber equivalent of a wide-open garage door. If you’re not actively managing it—patching, auditing, securing—it’s a risk.
If you're a small business, and your website is the front door to your business, treat it like a front door. Not a compost heap.
There is a reason why this website is not on Wordpress!
Remember: Your Website Is Not "Set and Forget"
If your website matters to your business—and it should—then it deserves more than a part-time babysitter or no updates since lockdown. If you’re not going to look after it, at least hire someone who will, preferably before your site ends up on a malware blocklist in Google Chrome.
Because once you're blacklisted, it's not just an inconvenience—it’s a commercial death sentence.
| Source | Link |
|---|---|
| Infosecurity Magazine | WordPress Plugin Flaw Exploited |
| The Hacker News | Hackers Exploiting WP-Automatic Plugin Bug |
| WPScan | New Malware Campaign Targets WP-Automatic Plugin |
| SecurityWeek | Critical WordPress Automatic Plugin Vulnerability Exploited |
| SonicWall | WordPress Unauthenticated Arbitrary SQL Execution Vulnerability |
| CSA Singapore | Active Exploitation of Critical Vulnerability in WordPress Automatic Plugin |
| BleepingComputer | The Four WordPress Flaws Hackers Targeted the Most in Q1 2025 |
