Tracking CVE-2024-2876: Why does the latest WordPress exploit compromise over 90,000 websites?

A highly concerning security loophole was recently discovered in a WordPress plugin called "Email Subscribers by Icegram Express," a popular tool utilized by a vast network of over 90,000+ websites. Officially designated as CVE-2024-2876 with a CVSS score of 9.8 (critical), the vulnerability represents a significant threat as it exposes numerous websites to potential attacks.

The heart of the problem resides in a SQL injection vulnerability, a flaw that allows malicious actors to inject and execute harmful SQL queries directly into the affected WordPress databases without the need for authentication.

Affecting all versions up to and including 5.7.14, the injection flaw stems from the inadequate handling of user-supplied parameters and insufficient preparation of SQL queries in the 'run' function of the 'IG_ES_Subscribers_Query' class.

Through the exploitation of inadequately sanitized user inputs, assailants can insert unapproved SQL commands and additional SQL queries into existing ones, thereby jeopardizing the integrity and confidentiality of the information housed within the WordPress database.

How did this spiral into the latest exploit CVE-2024-27956?

In the instances of observed attacks, CVE-2024-27956 has been utilized to execute unauthorized queries on databases and establish new administrator accounts on vulnerable WordPress sites (for instance, those beginning with "xtw").

The revelation emerges amidst the unveiling of critical vulnerabilities in plugins such as CVE-2024-2876, Forminator (CVE-2024-28890), and User Registration (CVE-2024-2417).

These vulnerabilities pose significant risks as they can potentially facilitate the extraction of sensitive data, such as password hashes, from the database, enable the uploading of arbitrary files, and confer admin privileges to unauthorized users.

This encompasses the installation of plugins that enable file uploads or code manipulation, suggesting efforts to transform the compromised sites into staging grounds for further actions.

WordPress security company Patchstack made CVE-2024-27956 public on March 13, 2024.

Wallarm Response and First Exploits

Although the CVE was disclosed on March 13, massive exploitation of the vulnerability only started around May when a Nuclei template on the exploit was developed and published on GitHub.

Since May, the Wallarm WAAP platform has detected more than 3,000 malicious requests associated with this vulnerability. An example of a scanning attempt using the Nuclei scanner and how it was detected by the Wallarm platform is shown below.

An example of the attack using the GitHub exploit and detected by the Wallarm WAAP platform is shown on the figure below.

Remediation Action

1. Since all versions up to 5.7.14 were detected with the CVE, it’s recommended for users to upgrade the Email Subscribers by Icegram Express plug-in to version 5.7.15 (or the most recent release 5.7.19).

2. Patchstack users have the option to enable automatic updates specifically for vulnerable plugins.

3. Implement a WAF/WAAP solution as an additional layer of protection. The advantage of such solutions is that even if the vulnerability is new and unknown (0-day), it may still prevent attacks by detecting exploitation patterns and techniques.