Cybersecurity researchers have uncovered a critical vulnerability in the Hunk Companion WordPress plugin that attackers are actively exploiting to compromise websites.
The flaw allows malicious actors to install outdated plugins with exploitable vulnerabilities directly from the WordPress.org repository, leading to severe security breaches.
What’s Happening?
Hackers are leveraging the vulnerability to deploy plugins with known flaws, opening websites to a wide array of attacks such as remote code execution (RCE), SQL injection, and cross-site scripting (XSS). These exploits can also be used to create backdoor admin accounts, granting attackers persistent access to the compromised sites.
The issue, discovered by WPScan and tracked as CVE-2024-11972, affects all versions of Hunk Companion before the newly released 1.9.0. WPScan researcher Daniel Rodriguez identified the flaw, which allows the arbitrary installation of plugins via unauthenticated POST requests.
The Attack Vector
Hackers are exploiting CVE-2024-11972 to install vulnerable plugins, such as an outdated version of WP Query Console, a tool last updated over seven years ago. This plugin is being weaponized through another vulnerability, CVE-2024-50498, enabling attackers to execute malicious PHP code.
WPScan observed that attackers are using this exploit chain to drop malicious scripts into websites’ root directories. These scripts act as backdoors, allowing unauthenticated uploads via GET requests and ensuring continued unauthorized access.
Users of Hunk Companion are strongly urged to update to the latest version, 1.9.0, immediately. Despite the release of the security patch, only about 1,800 sites have downloaded the update so far, leaving over 8,000 websites vulnerable.
