- Researchers from WPScan find flaw in Hunk Companion, a plugin with roughly 10,000 users
- The flaw allows crooks to install other plugins from the WP repository, including those with known RCE flaws
- WPScan found the flaw while investigating an active attack
Hackers have reportedly found a way to install old, outdated, and vulnerable plugins on WordPress websites, directly from the WordPress plugin repository. That way, they are able to introduce vulnerabilities to target sites made with the website builder, which grant them remote code execution (RCE) abilities, SQL injection, cross-site scripting (XSS), admin account creation, and more.
The bug that allows crooks to do that was found in Hunk Companion, a utility plugin designed to enhance the functionality of WordPress themes developed by ThemeHunk.
It typically provides features like additional widgets, customization options, and demo content import functionality. It often serves as a companion to ThemeHunk’s themes, unlocking advanced design and usability features not available by default.
Critical vulnerability
Researchers from WPScan found the flaw and reported it to the plugin’s developers, who came back with a fix within days.
While investigating a reported cyberattack, WPScan found that a threat actor abused the bug to install a vulnerable version of WP Query Console, a plugin that hasn’t been patched in seven years. This plugin is known for being flawed, allowing crooks to run malicious PHP code on target sites via a remote code execution bug tracked as CVE-2024-50498.
Hunk Companion is currently used by more than 10,000 websites, which isn’t exactly an impressive figure in the world of WordPress sites, but still not negligible.
The bug used to install flawed plugins is tracked as CVE-2024-11972, and has a severity score of 9.1 (critical). The earliest version that addressed it is 1.9.0, and users are advised to install it as soon as possible. BleepingComputer has also noticed that a similar bug was patched in Hunk Companion 1.8.5, tracked as CVE-2024-9707. It seems the patch didn’t work as intended as there are obvious workarounds.
At press time, 11.6% of users upgraded to v1.9, meaning roughly 8,800 sites are still vulnerable.
Via BleepingComputer
Leave a comment