A severe security vulnerability in the “Hunk Companion” WordPress plugin has been discovered, allowing hackers to exploit sites by installing vulnerable plugins from WordPress.org. The critical flaw, tracked as CVE-2024-11972, affects over 10,000 WordPress websites.
Security researchers at WPScan identified that attackers are leveraging this vulnerability to execute various malicious activities, including:
– Remote Code Execution (RCE)
– SQL injection attacks
– Cross-site scripting (XSS)
– Creation of unauthorized admin accounts
The vulnerability enables attackers to install outdated plugins with known security flaws through unauthenticated POST requests. In documented cases, hackers exploited the vulnerability to install WP Query Console, an outdated plugin containing the zero-day RCE flaw CVE-2024-50498, which allows execution of malicious PHP code.
Key Points:
– Affects all Hunk Companion versions prior to 1.9.0
– Previous fix in version 1.8.5 (CVE-2024-9707) proved inadequate
– Only 1,800 sites have updated to the secure version
– Approximately 8,000 websites remain vulnerable
Website administrators using Hunk Companion are strongly advised to update to version 1.9.0 immediately to protect against this active security threat. The plugin, primarily used to enhance ThemeHunk WordPress themes, received a security patch addressing the zero-day vulnerability.