Hunk Companion Plugin Under Attack
A critical vulnerability in the popular WordPress Hunk Companion plugin is being actively exploited by malicious actors to install other vulnerable plugins, exposing websites to a host of security threats.
The vulnerability, tracked as CVE-2024-11972 (CVSS score: 9.8), impacts all versions of the plugin prior to 1.9.0, which currently boasts over 10,000 active installations.
“This flaw is a significant risk, allowing attackers to install outdated, vulnerable, or discontinued plugins. These plugins can then be exploited for severe attacks like Remote Code Execution (RCE), SQL Injection, Cross-Site Scripting (XSS), or even the creation of administrative backdoors,” WPScan revealed in its report.
Exploiting the Flaw
Threat actors are reportedly leveraging the vulnerability to bypass security protocols, install unapproved plugins, and execute malicious activities such as:
- Tampering with database records
- Running unauthorized scripts
- Gaining administrative control of websites
WPScan discovered the vulnerability while investigating a compromised WordPress site. Attackers had used it to install a discontinued plugin, WP Query Console, and then exploited an RCE bug within that plugin to execute malicious PHP code.
Alarmingly, the RCE flaw in WP Query Console (CVE-2024-50498, CVSS score: 10.0) remains unpatched, adding to the risks for targeted websites.
Linking Multiple Vulnerabilities
CVE-2024-11972 also bypasses patches for a similar vulnerability, CVE-2024-9707 (CVSS score: 9.8), which was addressed in version 1.8.5 of Hunk Companion. This flaw enables unauthorized plugin installations by exploiting a script in the plugin (hunk-companion/import/app/app.php) that fails to properly verify user permissions.
“This attack chain is particularly dangerous,” said Daniel Rodriguez of WPScan, “as it combines a previously patched vulnerability in Hunk Companion with a Remote Code Execution flaw in a removed plugin. This demonstrates the importance of securing every component of a WordPress site, especially third-party themes and plugins, which are often prime targets for attackers.”
Additional WordPress Vulnerabilities
In related news, Wordfence disclosed a high-severity vulnerability in the WPForms plugin (CVE-2024-11205, CVSS score: 8.5). This flaw allows authenticated users with Subscriber-level access or higher to refund Stripe payments and cancel subscriptions.
The vulnerability affects versions 1.8.4 to 1.9.2.1 of WPForms. Website owners are urged to update to version 1.9.2.2 or later to mitigate the risk. The WPForms plugin is currently installed on over 6 million WordPress websites.
Key Takeaways
The wave of exploitation targeting WordPress plugins like Hunk Companion and WPForms highlights the critical need for website administrators to:
- Regularly update all plugins and themes to the latest versions.
- Monitor for discontinued or vulnerable plugins and replace them immediately.
- Implement robust security measures to limit unauthorized access.
WordPress sites, especially those relying on third-party plugins, remain attractive targets for attackers. Proactive patching and vigilant monitoring are essential to safeguarding websites against such threats.