A critical vulnerability in the WordPress plugin Hunk Companion has been actively exploited by cybercriminals, allowing them to install outdated and vulnerable plugins on targeted websites. This flaw, identified as CVE-2024-11972, poses significant risks to website security, enabling attackers to execute malicious code and gain unauthorized access.
Key Takeaways
- Vulnerability Identified: CVE-2024-11972 allows unauthorized POST requests to install plugins.
- Affected Plugin: Hunk Companion, with over 10,000 active installations, is the primary target.
- Exploited Plugins: Attackers are installing outdated plugins like WP Query Console, which has not been updated in over seven years.
- Security Risks: The vulnerabilities in these plugins include remote code execution, SQL injection, and cross-site scripting.
- Urgent Action Required: Users are urged to update to version 1.9.0 of Hunk Companion to mitigate risks.
Overview Of The Vulnerability
The vulnerability in Hunk Companion allows attackers to send unauthorized requests that can install plugins from the WordPress.org repository. This capability is particularly dangerous as it enables the installation of plugins that contain known vulnerabilities, which can be exploited to compromise the security of the affected websites.
Impact On Websites
The exploitation of this vulnerability can lead to severe consequences for website owners, including:
- Malicious Code Execution: Attackers can execute harmful PHP code on compromised sites.
- Backdoor Access: A persistent backdoor can be created, allowing continued access to the site even after initial exploitation.
- Data Breaches: Sensitive data may be exposed or stolen, leading to potential legal and financial repercussions.
Current Status
Despite the release of a patch in version 1.9.0, only 1,800 out of 10,000 active installations have been updated. This leaves approximately 8,000 sites vulnerable to further exploitation. The researchers at WPScan, who discovered the flaw, emphasize the importance of immediate action to secure affected sites.
Recommendations For Users
To protect against this vulnerability, users of the Hunk Companion plugin should:
- Update Immediately: Ensure that the plugin is updated to version 1.9.0 or later.
- Audit Installed Plugins: Review all installed plugins for known vulnerabilities and remove any that are outdated or no longer maintained.
- Implement Security Measures: Consider additional security measures such as firewalls, regular backups, and security plugins to enhance website protection.
Conclusion
The exploitation of the Hunk Companion plugin vulnerability highlights the ongoing risks associated with outdated software in the WordPress ecosystem. Website owners must remain vigilant and proactive in securing their sites against potential threats. Regular updates and security audits are essential to maintaining a secure online presence.
