Home Security WordPress Hunk Companion Plugin Flaw Exploited to Silently Install Vulnerable Plugins

WordPress Hunk Companion Plugin Flaw Exploited to Silently Install Vulnerable Plugins

by


Dec 12, 2024Ravie LakshmananWebsite Security / Vulnerability

Malicious actors are exploiting a critical vulnerability in the Hunk Companion plugin for WordPress to install other vulnerable plugins that could open the door to a variety of attacks.

The flaw, tracked as CVE-2024-11972 (CVSS score: 9.8), affects all versions of the plugin prior to 1.9.0. The plugin has over 10,000 active installations.

“This flaw poses a significant security risk, as it enables attackers to install vulnerable or closed plugins, which can then be exploited for attacks such as Remote Code Execution (RCE), SQL Injection, Cross‑Site Scripting (XSS), or even the creation of administrative backdoors,” WPScan said in a report.

Cybersecurity

To make matters worse, attackers could leverage outdated or abandoned plugins to circumvent security measures, tamper with database records, execute malicious scripts, and seize control of the sites.

WPScan said it uncovered the security defect when analyzing an infection on an unspecified WordPress site, finding that threat actors were weaponizing it to install a now-closed plugin called WP Query Console, and subsequently leveraging an RCE bug in the installed plugin to to execute malicious PHP code.

It’s worth noting that the zero-day RCE flaw in the WP Query Console, tracked as CVE-2024-50498 (CVSS score: 10.0), remains unpatched.

CVE-2024-11972 is also a patch bypass for CVE‑2024‑9707 (CVSS score: 9.8), a similar vulnerability in Hunk Companion that could enable the installation or activation of unauthorized plugins. This shortcoming was addressed in version 1.8.5.

At its core, it stems from a bug in the script “hunk‑companion/import/app/app.php” that allows unauthenticated requests to bypass checks put in place for verifying if the current user has permission to install plugins.

“What makes this attack particularly dangerous is its combination of factors — leveraging a previously patched vulnerability in Hunk Companion to install a now‑removed plugin with a known Remote Code Execution flaw,” WPScan’s Daniel Rodriguez noted.

Cybersecurity

“The chain of exploitation underscores the importance of securing every component of a WordPress site, especially third‑party themes and plugins, which can become critical points of entry for attackers.”

The development comes as Wordfence disclosed a high-severity flaw in the WPForms plugin (CVE-2024-11205, CVSS score: 8.5) that makes it possible for authenticated attackers, with Subscriber-level access and above, to refund Stripe payments and cancel subscriptions.

The vulnerability, which affects versions 1.8.4 up to, and including, 1.9.2.1, has been resolved in versions 1.9.2.2 or later. The plugin is installed on over 6 million WordPress sites.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex