Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

Hunk Companion Plugin Flaw Installs Malware

December 12, 2024
Reading Time: 2 mins read
in Alerts
Hunk Companion Plugin Flaw Installs Malware

A critical security vulnerability in the Hunk Companion plugin for WordPress, identified as CVE-2024-11972, is being actively exploited by cybercriminals to silently install other vulnerable or closed plugins, escalating the risk of various attacks. This flaw, which affects all versions of the plugin prior to 1.9.0, has a CVSS score of 9.8, indicating a high level of severity. The Hunk Companion plugin, with over 10,000 active installations, has become a prime target for malicious actors who can exploit this vulnerability to compromise WordPress websites.

The vulnerability allows attackers to bypass permission checks and install unauthorized plugins, which can lead to dangerous consequences such as Remote Code Execution (RCE), SQL Injection, and Cross-Site Scripting (XSS) attacks. In one instance, attackers used the flaw to install the now-removed WP Query Console plugin, which contained a zero-day RCE vulnerability (CVE-2024-50498). This bug, which remains unpatched, allowed the attackers to execute arbitrary PHP code, further compromising the targeted site. The flaw in Hunk Companion effectively served as a bypass for a previously patched vulnerability (CVE-2024-9707), amplifying the risk to affected WordPress sites.

What makes this vulnerability particularly concerning is its potential for wide-ranging exploitation. By leveraging outdated or abandoned plugins, attackers can circumvent security measures and gain deeper access to WordPress sites. Once installed, these plugins can tamper with database records, execute malicious scripts, and potentially create backdoors for future attacks. The combination of this flaw with the unpatched RCE vulnerability highlights the ongoing need for site administrators to be vigilant about updating and securing every component of their WordPress installation, including third-party plugins and themes.

This discovery underscores the importance of proactive security measures in the WordPress ecosystem. Security experts, including WPScan, are urging WordPress site owners to update the Hunk Companion plugin to version 1.9.0 or later to mitigate the risks associated with this vulnerability. In parallel, a similar high-severity vulnerability was recently disclosed in the WPForms plugin, demonstrating the broader trend of third-party plugin vulnerabilities being targeted by attackers. As the threat landscape continues to evolve, WordPress site owners must prioritize regular updates and comprehensive security practices to safeguard against such exploits.

Reference:

  • WordPress Hunk Companion Plugin Flaw Exploited to Install Malicious Plugins
Tags: Cyber AlertsCyber Alerts 2024Cyber threatsDecember 2024Hunk CompanionSQL injectionVulnerabilitiesWordpress
ADVERTISEMENT

Related Posts

Fake PyPI Login Site Steals Credentials

Fake PyPI Login Site Steals Credentials

September 26, 2025
Fake PyPI Login Site Steals Credentials

Google Warns of BRICKSTORM Malware

September 26, 2025
Fake PyPI Login Site Steals Credentials

Hidden WordPress Backdoors Create Admins

September 26, 2025
BadIIS Malware Spreads Via SEO Poisoning

Hackers Target AWS and Steal Credentials

September 24, 2025
BadIIS Malware Spreads Via SEO Poisoning

SonicWall SMA100 Update Removes Rootkit

September 24, 2025
BadIIS Malware Spreads Via SEO Poisoning

BadIIS Malware Spreads Via SEO Poisoning

September 24, 2025

Latest Alerts

Fake PyPI Login Site Steals Credentials

Google Warns of BRICKSTORM Malware

Hidden WordPress Backdoors Create Admins

Hackers Target AWS and Steal Credentials

SonicWall SMA100 Update Removes Rootkit

BadIIS Malware Spreads Via SEO Poisoning

Subscribe to our newsletter

    Latest Incidents

    Indian Bank Transfer Records Exposed

    Chinese Cyberspies Hit US Defense Firms

    Neon App Shuts Down After Data Leak

    Boyd Gaming Reports Data Breach After Attack

    Morrisroe UK Company Hit By Cyber Attack

    GeoServer Flaw Breaches US Agency Network

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial