In the attacks observed so far, CVE-2024-27956 is being used to unauthorized database queries and create new admin accounts on susceptible WordPress sites (e.g., names starting with “xtw”), which could then be leveraged for follow-on post-exploitation actions.

This includes installing plugins that make it possible to upload files or edit code, indicating attempts to repurpose the infected sites as stagers.

“Once a WordPress site is compromised, attackers ensure the longevity of their access by creating backdoors and obfuscating the code,” WPScan said. “To evade detection and maintain access, attackers may also rename the vulnerable WP‑Automatic file, making it difficult for website owners or security tools to identify or block the issue.”

The file in question is “/wp‑content/plugins/wp‑automatic/inc/csv.php,” which is renamed to something like “/wp‑content/plugins/wp‑automatic/inc/csv65f82ab408b3.php.”

That said, it’s possible that the threat actors are doing so in an attempt to prevent other attackers from exploiting the sites already under their control.