A critical security vulnerability in the Hunk Companion plugin for WordPress, identified as CVE-2024-11972, is being actively exploited by cybercriminals to silently install other vulnerable or closed plugins, escalating the risk of various attacks. This flaw, which affects all versions of the plugin prior to 1.9.0, has a CVSS score of 9.8, indicating a high level of severity. The Hunk Companion plugin, with over 10,000 active installations, has become a prime target for malicious actors who can exploit this vulnerability to compromise WordPress websites.
The vulnerability allows attackers to bypass permission checks and install unauthorized plugins, which can lead to dangerous consequences such as Remote Code Execution (RCE), SQL Injection, and Cross-Site Scripting (XSS) attacks. In one instance, attackers used the flaw to install the now-removed WP Query Console plugin, which contained a zero-day RCE vulnerability (CVE-2024-50498). This bug, which remains unpatched, allowed the attackers to execute arbitrary PHP code, further compromising the targeted site. The flaw in Hunk Companion effectively served as a bypass for a previously patched vulnerability (CVE-2024-9707), amplifying the risk to affected WordPress sites.
What makes this vulnerability particularly concerning is its potential for wide-ranging exploitation. By leveraging outdated or abandoned plugins, attackers can circumvent security measures and gain deeper access to WordPress sites. Once installed, these plugins can tamper with database records, execute malicious scripts, and potentially create backdoors for future attacks. The combination of this flaw with the unpatched RCE vulnerability highlights the ongoing need for site administrators to be vigilant about updating and securing every component of their WordPress installation, including third-party plugins and themes.
This discovery underscores the importance of proactive security measures in the WordPress ecosystem. Security experts, including WPScan, are urging WordPress site owners to update the Hunk Companion plugin to version 1.9.0 or later to mitigate the risks associated with this vulnerability. In parallel, a similar high-severity vulnerability was recently disclosed in the WPForms plugin, demonstrating the broader trend of third-party plugin vulnerabilities being targeted by attackers. As the threat landscape continues to evolve, WordPress site owners must prioritize regular updates and comprehensive security practices to safeguard against such exploits.
Reference:
