Critical Vulnerability in Hunk Companion Plugin Allows Installation of Exploitable Plugins
2024-12-12
Learn about the importance of timely updates and patch management to prevent exploitation of known vulnerabilities in WordPress plugins.
Hackers are exploiting a critical vulnerability in the Hunk Companion WordPress plugin to install other outdated plugins with known vulnerabilities, allowing them to execute remote code, perform SQL injection, and create backdoor admin accounts. This vulnerability, affecting all versions before 1.9.0, was discovered by WPScan and has been actively exploited to compromise WordPress sites. A security update has been released to address the issue, but many sites remain at risk due to unpatched installations.
Zero-Day, Patch Management, Web App/Website Vulnerability, Open Source
Hunk Companion, WordPress vulnerability, CVE-2024-11972, plugin exploitation, remote code execution
CVE-2024-11972; CVE-2024-50498; CVE-2024-9707
Hunk Companion, WordPress, WP Query Console
A significant security flaw has been identified in the "Hunk Companion" WordPress plugin, which hackers are exploiting to compromise websites by installing additional vulnerable plugins. This vulnerability allows attackers to activate plugins with known security issues directly from the WordPress.org repository, leading to severe security breaches. The vulnerability, discovered by WPScan and identified as CVE-2024-11972, enables attackers to install plugins through unauthenticated POST requests. This means that malicious actors do not need to log in to execute their attack, allowing them to introduce plugins with exploitable flaws. Once installed, these plugins can lead to remote code execution (RCE), SQL injection, cross-site scripting (XSS), or even the creation of backdoor admin accounts on the affected websites. The Hunk Companion plugin, which enhances themes by ThemeHunk, is currently used by over 10,000 WordPress sites. The vulnerability affects all plugin versions before 1.9.0, which was released to address this issue. However, many sites remain vulnerable due to unpatched installations. WPScan identified active exploitation of this vulnerability in real-world scenarios. Hackers have been using it to install the WP Query Console plugin, which hasn't been updated in over seven years. This plugin was leveraged to execute malicious PHP code, exploiting a zero-day RCE flaw, CVE-2024-50498. Attackers used this to place a PHP dropper in the site's root directory, enabling ongoing unauthorized uploads and maintaining backdoor access to the site. A similar flaw was previously fixed in version 1.8.5 (CVE-2024-9707), but attackers found ways to bypass the patch. Due to the severity and active exploitation of the current vulnerability, users of Hunk Companion are strongly advised to update to version 1.9.0 immediately to protect their sites from further attacks. As of now, only about 1,800 sites have updated, leaving thousands still at risk.Critical Vulnerability in Hunk Companion WordPress Plugin
How the Exploit Works
Impact and Scope
Active Exploitation Cases
Previous Vulnerability and Recommendations