Login Sign Up

CVE-2024-27954

9.3 CRITICAL
Path Traversal SSRF

📋 TL;DR

This vulnerability in the WordPress Automatic plugin allows unauthenticated attackers to perform path traversal attacks, potentially downloading arbitrary files from the server, and execute server-side request forgery (SSRF) attacks. It affects all WordPress sites running the Automatic plugin versions up to 3.92.0. Attackers can exploit this without any authentication.

💻 Affected Systems

Products:
  • WordPress Automatic Plugin
Versions: n/a through 3.92.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all WordPress installations with vulnerable plugin versions installed and activated. No special configuration required.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise through arbitrary file download of sensitive files (like wp-config.php containing database credentials) followed by SSRF to internal services, potentially leading to data breach, ransomware deployment, or lateral movement.

🟠

Likely Case

Unauthenticated attackers download WordPress configuration files to obtain database credentials, then use SSRF to probe internal networks or attack internal services, leading to site defacement, data theft, or further exploitation.

🟢

If Mitigated

If web application firewalls block path traversal patterns and restrict outbound requests, exploitation attempts are logged and blocked, preventing data exfiltration and internal network access.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public proof-of-concept code exists demonstrating both path traversal and SSRF. The unauthenticated nature and low complexity make this highly attractive for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.92.1

Vendor Advisory: https://patchstack.com/database/vulnerability/wp-automatic/wordpress-automatic-plugin-3-92-0-unauthenticated-arbitrary-file-download-and-ssrf-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Automatic' plugin. 4. Click 'Update Now' if update available. 5. If no update shows, manually download version 3.92.1+ from WordPress.org and replace plugin files via FTP/SFTP.

🔧 Temporary Workarounds

Temporary Plugin Deactivation

all

Disable the Automatic plugin until patched to prevent exploitation.

wp plugin deactivate wp-automatic

Web Application Firewall Rules

all

Configure WAF to block path traversal patterns (../, ..\, etc.) and restrict outbound HTTP requests from the web server.

🧯 If You Can't Patch

  • Immediately deactivate and remove the Automatic plugin from all WordPress installations.
  • Implement network segmentation to restrict web server outbound connections to only necessary external services.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for 'Automatic' plugin version. If version is 3.92.0 or lower, you are vulnerable.

Check Version:

wp plugin get wp-automatic --field=version

Verify Fix Applied:

After update, verify plugin version shows 3.92.1 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests containing '../' or '..\' patterns in URL parameters
  • Unusual outbound HTTP requests from web server to internal IP addresses or unusual domains
  • Multiple failed attempts to access wp-config.php or other sensitive files

Network Indicators:

  • Outbound HTTP requests from web server to internal network ranges (192.168.x.x, 10.x.x.x, 172.16.x.x)
  • Unusual traffic patterns to plugin-specific endpoints (/wp-content/plugins/wp-automatic/)

SIEM Query:

source="web_server_logs" AND (url="*../*" OR url="*..\\*" OR url="*/wp-content/plugins/wp-automatic/*")

📊 Metadata

CVE ID: CVE-2024-27954
CVSS v3 Score: 9.3 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
CWE: CWE-22
Published: May 17, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-27954, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)