Malicious actors are exploiting a vital vulnerability within the Hunk Companion plugin for WordPress to put in different susceptible plugins that might open the door to a wide range of assaults.
The flaw, tracked as CVE-2024-11972 (CVSS rating: 9.8), impacts all variations of the plugin previous to 1.9.0. The plugin has over 10,000 energetic installations.
“This flaw poses a significant security risk, as it enables attackers to install vulnerable or closed plugins, which can then be exploited for attacks such as Remote Code Execution (RCE), SQL Injection, Cross‑Site Scripting (XSS), or even the creation of administrative backdoors,” WPScan mentioned in a report.
To make issues worse, attackers might leverage outdated or deserted plugins to avoid safety measures, tamper with database data, execute malicious scripts, and seize management of the websites.
WPScan mentioned it uncovered the safety defect when analyzing an an infection on an unspecified WordPress website, discovering that menace actors had been weaponizing it to put in a now-closed plugin referred to as WP Question Console, and subsequently leveraging an RCE bug within the put in plugin to to execute malicious PHP code.
It is value noting that the zero-day RCE flaw within the WP Question Console, tracked as CVE-2024-50498 (CVSS rating: 10.0), stays unpatched.
CVE-2024-11972 can also be a patch bypass for CVE‑2024‑9707 (CVSS rating: 9.8), an identical vulnerability in Hunk Companion that might allow the set up or activation of unauthorized plugins. This shortcoming was addressed in model 1.8.5.
At its core, it stems from a bug within the script “hunk‑companion/import/app/app.php” that enables unauthenticated requests to bypass checks put in place for verifying if the present consumer has permission to put in plugins.
“What makes this attack particularly dangerous is its combination of factors — leveraging a previously patched vulnerability in Hunk Companion to install a now‑removed plugin with a known Remote Code Execution flaw,” WPScan’s Daniel Rodriguez famous.
“The chain of exploitation underscores the importance of securing every component of a WordPress site, especially third‑party themes and plugins, which can become critical points of entry for attackers.”
The event comes as Wordfence disclosed a high-severity flaw within the WPForms plugin (CVE-2024-11205, CVSS rating: 8.5) that makes it potential for authenticated attackers, with Subscriber-level entry and above, to refund Stripe funds and cancel subscriptions.
The vulnerability, which impacts variations 1.8.4 as much as, and together with, 1.9.2.1, has been resolved in variations 1.9.2.2 or later. The plugin is put in on over 6 million WordPress websites.
