WordPress Plugin Vulnerability Leads to Malware Installation

WordPress Plugin Vulnerability Leads to Malware Installation

Zero-Day Vulnerability in Hunk Companion Plugin Poses Serious Threat to WordPress Sites

A critical zero-day vulnerability in the popular WordPress plugin Hunk Companion is currently being exploited by cybercriminals, raising significant concerns for website security. Identified as CVE-2024-11972, this flaw allows unauthorized POST requests that can lead to the arbitrary installation of plugins, including outdated and vulnerable versions from the WordPress.org repository. With over 10,000 active installations, the Hunk Companion plugin, which facilitates customizable themes by ThemeHunk, is at risk.

Understanding the Hunk Companion Vulnerability

Researchers at WPScan first reported the Hunk Companion vulnerability, which has already been leveraged by attackers to install plugins with known exploits such as remote code execution, SQL injection, and cross-site scripting. These vulnerabilities can compromise targeted websites, making them susceptible to malicious attacks.

Key Details of the Vulnerability:

  • Flaw Identifier: CVE-2024-11972
  • Affected Versions: All versions prior to 1.9.0
  • Exploited Plugins: Attackers have been observed installing outdated plugins, including the WP Query Console, which has not been updated in over seven years.
  • Attack Method: Malicious PHP code is executed through a PHP dropper uploaded to the site’s root directory, creating a persistent backdoor for attackers.

Urgent Update Recommendations

Despite the release of version 1.9.0, which addresses this vulnerability, only about 1,800 out of 10,000 affected sites have been updated. This leaves approximately 8,000 sites still vulnerable to potential exploitation. The researchers are strongly urging all Hunk Companion users to update their plugins immediately to safeguard their websites against these threats.

Related Security Concerns

In addition to CVE-2024-11972, a previous related vulnerability, CVE-2024-9707, was patched earlier but proved insufficient as attackers successfully bypassed the fix. This highlights the ongoing risks associated with outdated plugins and the importance of regular updates.

For further information on WordPress security, consider reading our articles on best practices for securing WordPress and how to protect your site from vulnerabilities.

Conclusion

Website administrators must take immediate action to protect their sites from the ongoing exploitation of the Hunk Companion vulnerability. Regular updates and vigilant security practices are essential in maintaining the integrity of WordPress sites. If you have experienced issues or have thoughts on this vulnerability, please share your insights in the comments below or explore our related articles for more security tips.

Share it

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *