Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label CVE-2024-11972. Show all posts

Critical Security Flaw in "Hunk Companion" Plugin Exploited by Hackers

 


Hackers are actively exploiting a serious security vulnerability in the "Hunk Companion" plugin to install and activate other plugins that contain known vulnerabilities from the WordPress.org repository. This targeted attack allows the installation of plugins with a variety of vulnerabilities, including remote code execution (RCE), SQL injection, and cross-site scripting (XSS), and even enables the creation of unauthorized admin backdoors.

Exploitation of Outdated Plugins

By focusing on outdated plugins with existing exploits, attackers can execute malicious actions, compromising WordPress sites. WPScan discovered the malicious activity and reported the issue to the developers of Hunk Companion. In response, a security update addressing the zero-day vulnerability was released yesterday.

Hunk Companion is an add-on plugin designed to enhance WordPress themes developed by ThemeHunk. Although it is installed on over 10,000 WordPress sites, it remains a relatively niche tool within the WordPress ecosystem, according to WordPress.org statistics.

Details of the Vulnerability

The critical vulnerability, identified by WPScan researcher Daniel Rodriguez, is tracked as CVE-2024-11972. This flaw allows attackers to install plugins via POST requests without authentication, creating a serious security risk for affected WordPress sites.

All versions of Hunk Companion prior to version 1.9.0, released yesterday, are affected. During an investigation of an infected site, WPScan found evidence of active exploitation of CVE-2024-11972. This exploit enabled the installation of a compromised version of the WP Query Console plugin, which has not been updated in over seven years. The hackers used this plugin to execute malicious PHP code by exploiting the RCE flaw CVE-2024-50498.

According to WPScan, “In the infections we've analyzed, attackers use the RCE to write a PHP dropper to the site’s root directory. This dropper allows continued unauthenticated uploads via GET requests, enabling persistent backdoor access to the site.”

Previous Attempts to Fix the Vulnerability

A similar flaw was addressed in version 1.8.5 of Hunk Companion, tracked as CVE-2024-9707. However, this fix was found to be insufficient, and attackers managed to bypass it.

Due to the severity of this vulnerability and the ongoing exploitation, users of Hunk Companion are strongly advised to update to version 1.9.0 immediately. At the time of reporting, version 1.9.0 had been downloaded around 1,800 times, leaving approximately 8,000 sites still vulnerable to attacks.