Recent reports have highlighted significant security vulnerabilities in two popular WordPress plugins, Hunk Companion and WP Query Console. These flaws have allowed cybercriminals to exploit unpatched installations, gaining unauthorized access to numerous websites and potentially compromising sensitive data.
Key Takeaways
- Vulnerable Plugins: Hunk Companion and WP Query Console are the primary targets of exploitation.
- Severity: Both vulnerabilities have a CVSS score of 9.8, indicating critical severity.
- Exploitation: Attackers have been actively exploiting these vulnerabilities, leading to over 56,000 blocked attacks in just 24 hours.
- Updates Required: Users are urged to update to the latest versions of the affected plugins immediately.
Overview of Vulnerabilities
The vulnerabilities in question stem from a missing capability check in the Hunk Companion plugin, which is designed to enhance the functionality of ThemeHunk WordPress themes. This flaw allows unauthenticated attackers to install and activate arbitrary plugins without authorization, leading to potential remote code execution if other vulnerable plugins are present.
The specific vulnerability is tracked as CVE-2024-9707 and has been assigned a CVSS score of 9.8. A patch was released in version 1.8.5 of Hunk Companion in October, but subsequent versions, including 1.8.7, were found to still be vulnerable. A more effective patch was rolled out on December 10 with version 1.9.0.
WP Query Console Vulnerability
In addition to the Hunk Companion vulnerability, the WP Query Console plugin has also been identified as a target for exploitation. This plugin, which has not seen updates in over seven years, is affected by a remote code execution flaw tracked as CVE-2024-50498. This vulnerability allows malicious actors to execute commands on the target website, potentially granting them full control.
Despite being closed on October 21, WP Query Console was still downloaded hundreds of times in the following months, indicating that attackers may have been leveraging it for mass exploitation campaigns.
Recommendations for Users
To mitigate the risks associated with these vulnerabilities, WordPress users are strongly advised to take the following actions:
- Update Plugins: Ensure that Hunk Companion is updated to version 1.9.0.
- Check for Intrusions: Review your website for any unauthorized installations of WP Query Console or other plugins.
- Monitor Activity: Keep an eye on website activity for any suspicious behavior that may indicate a breach.
Conclusion
The discovery of these vulnerabilities serves as a stark reminder of the importance of maintaining updated software and monitoring for potential security threats. As cybercriminals continue to exploit weaknesses in widely used plugins, website administrators must remain vigilant and proactive in securing their WordPress installations.
