Thousands of WordPress sites are currently exposed to significant security risks due to an unpatched vulnerability found in a popular plugin utilized by many users. Security researchers have reported that the flaw has been actively exploited in attacks that permit unauthorized execution of malicious code.
This critical vulnerability, designated as CVE-2024-11972, affects the Hunk Companion plugin, which is installed on approximately 10,000 websites utilizing the WordPress content management system. Rated with a severity of 9.8 out of 10, it poses a dire threat to site integrity. Recent assessments of the Hunk Companion plugin indicated that as of this posting, fewer than 12 percent of users have implemented the patch, leaving nearly 9,000 websites vulnerable to potential exploitation.
Experts have emphasized that this vulnerability poses a serious and multifaceted risk, especially for sites employing both a ThemeHunk theme and the Hunk Companion plugin. Daniel Rodriguez, a researcher at the WordPress security firm WP Scan, indicated that this critical exposure could enable unauthenticated attacks, significantly jeopardizing the integrity of many websites.
The vulnerability was brought to light during an investigation into a client’s compromised site, where WP Scan identified CVE-2024-11972 as the initial attack vector. The compromise enabled attackers to manipulate vulnerable sites to redirect automatically to wordpress.org, where they could download WP Query Console, an outdated plugin that has not seen updates in years.
The implications of this vulnerability extend beyond simple exploitation; it highlights a broader issue of inadequate patching by website administrators, which can lead to severe consequences for site security. Cyber adversaries often leverage techniques categorized under the MITRE ATT&CK framework, particularly initial access tactics, which can involve exploiting existing software vulnerabilities to gain control over systems.
Beyond initial access, the risks posed by such vulnerabilities can evolve into persistence tactics, where attackers maintain their foothold within compromised systems, and privilege escalation techniques, where they seek elevated access rights to further compromise secured areas of the site.
This alarming security incident underscores the importance of timely updates and patches to WordPress plugins and the potential for serious repercussions if neglected. As the cybersecurity landscape continues to evolve, business owners must remain vigilant in monitoring and securing their digital assets against emerging threats.
