WordPress Plugin Flaw Lets Hackers Install Vulnerable Add-ons

WordPress Plugin Flaw Lets Hackers Install Vulnerable Add-ons

Critical Vulnerability in Hunk Companion Plugin Poses Major Security Risks for WordPress Users

Malicious actors are currently exploiting a critical vulnerability in the Hunk Companion plugin for WordPress, potentially jeopardizing the security of over 10,000 active installations. This flaw, identified as CVE-2024-11972, has a staggering CVSS score of 9.8, indicating its severity. If left unaddressed, this vulnerability could allow attackers to install additional vulnerable plugins, leading to various types of cyberattacks.

According to WPScan, the security risk associated with this flaw is significant. Attackers can exploit it to install unprotected or outdated plugins, which may facilitate attacks such as Remote Code Execution (RCE), SQL Injection, Cross-Site Scripting (XSS), and the creation of administrative backdoors. The implications of these exploits can be dire, as they may enable unauthorized access and control over WordPress sites.

Understanding the Vulnerability in Hunk Companion

The vulnerability affects all versions of the Hunk Companion plugin prior to version 1.9.0. WPScan discovered the defect while analyzing an infection on a WordPress site, where attackers were using it to install a now-closed plugin called WP Query Console. This installation opened the door for further exploitation through an unpatched zero-day RCE flaw, tracked as CVE-2024-50498, which has a perfect CVSS score of 10.0.

  • Key Details about CVE-2024-11972:
    • Affected Versions: All versions before 1.9.0
    • CVSS Score: 9.8
    • Exploitation Methods: RCE, SQL Injection, XSS, administrative backdoors

This critical vulnerability also serves as a patch bypass for another known issue, CVE-2024-9707, which similarly allows the installation or activation of unauthorized plugins. The root cause of the flaw lies in a bug within the script "hunk-companion/import/app/app.php," enabling unauthenticated requests to bypass permission checks for plugin installations.

The Importance of Securing WordPress Sites

Daniel Rodriguez from WPScan emphasizes the gravity of the situation: “What makes this attack particularly dangerous is its combination of factors—leveraging a previously patched vulnerability in Hunk Companion to install a now-removed plugin with a known Remote Code Execution flaw." This highlights the critical need for WordPress users to secure every component of their sites, especially third-party themes and plugins, which can serve as entry points for attackers.

Related Vulnerabilities in WordPress Plugins

In addition to the Hunk Companion vulnerability, Wordfence has recently reported a high-severity flaw in the WPForms plugin (CVE-2024-11205), affecting versions 1.8.4 through 1.9.2.1. This vulnerability allows authenticated attackers with Subscriber-level access and higher to refund Stripe payments and cancel subscriptions. Thankfully, this issue has been resolved in versions 1.9.2.2 and later, further emphasizing the importance of keeping WordPress plugins updated.

Stay Informed and Secure

WordPress users are urged to update their Hunk Companion plugin to version 1.9.0 or later to mitigate these risks. Regularly monitoring for updates and understanding potential vulnerabilities can significantly enhance site security.

What are your thoughts on the security of WordPress plugins? Share your insights in the comments below, and for more information on securing your WordPress site, check out our related articles on plugin vulnerabilities and cybersecurity best practices.

For the latest updates on cybersecurity threats, follow us on Twitter and LinkedIn!

Share it

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *