Critical WordPress Plugin Vulnerability Enables Silent Backdoor Attacks on 10,000+ Sites

Critical WordPress Plugin Vulnerability Enables Silent Backdoor Attacks on 10,000+ Sites

Critical WordPress Plugin Vulnerability Enables Malicious Attacks

A severe security vulnerability has been discovered in the Hunk Companion WordPress plugin, affecting over 10,000 active installations. The flaw, identified as CVE-2024-11972 with a critical CVSS score of 9.8, impacts all versions prior to 1.9.0.

Security researchers at WPScan revealed that attackers are actively exploiting this vulnerability to install compromised plugins, enabling various attack vectors including:
– Remote Code Execution (RCE)
– SQL Injection
– Cross-Site Scripting (XSS)
– Administrative backdoor creation

The vulnerability was discovered during an investigation of an infected WordPress site, where attackers exploited the flaw to install the WP Query Console plugin, which contains an unpatched zero-day RCE vulnerability (CVE-2024-50498, CVSS score: 10.0).

Technical Details:
– The flaw exists in “hunk-companion/import/app/app.php”
– It bypasses authentication checks for plugin installation permissions
– Serves as a patch bypass for previous vulnerability CVE-2024-9707

Additional Security Concern:
WPForms plugin users should also be aware of a recently disclosed high-severity vulnerability (CVE-2024-11205, CVSS score: 8.5) affecting versions 1.8.4 to 1.9.2.1, which could allow authenticated users to manipulate Stripe payments. This has been patched in version 1.9.2.2.

Website administrators are strongly advised to update affected plugins immediately to prevent potential security breaches.

Share This Article