A critical vulnerability in the WordPress Hunk Companion plugin has been identified, allowing malicious actors to install additional vulnerable plugins and create pathways for attacks. This flaw, designated as CVE-2024-11972 with a CVSS score of 9.8, impacts all versions preceding 1.9.0 and affects over 10,000 active installations, heightening security risks for users.
Cybersecurity firm WPScan issued a report highlighting the severe implications of this vulnerability. It enables attackers to deploy vulnerable or deprecated plugins that can be exploited for various malicious activities, including Remote Code Execution (RCE), SQL Injection, and Cross-Site Scripting (XSS). The ability to establish administrative backdoors further exacerbates the risk.
The breach was uncovered during the examination of an infection on a WordPress site, revealing that cybercriminals were exploiting this vulnerability to install the now-discontinued WP Query Console plugin. This plugin harbored an unpatched RCE flaw, tracked as CVE-2024-50498 and rated 10.0 on the CVSS scale, which attackers leveraged to execute malicious PHP code.
Additionally, CVE-2024-11972 serves as a bypass for a related issue noted in CVE-2024-9707, another vulnerability previously fixed in version 1.8.5 of Hunk Companion. The underlying problem lies in the script “hunk-companion/import/app/app.php,” which permits unauthenticated requests to bypass authentication checks for plugin installations, posing significant security threats.
The chain of exploitation seen here underscores the crucial need for robust security measures around all components of a WordPress site, particularly third-party themes and plugins that can serve as entry points for adversaries. WPScan’s Daniel Rodriguez emphasized the confluence of factors making this attack particularly perilous, including the combination of a previously addressed vulnerability and the misuse of deprecated software.
This incident coincides with another security alert from Wordfence regarding a serious vulnerability in the WPForms plugin (CVE-2024-11205, CVSS score: 8.5), which allows authenticated attackers with Subscriber-level access to refund Stripe payments and cancel subscriptions. This flaw, which impacts versions up to 1.9.2.1, has been patched in version 1.9.2.2, affecting over six million WordPress installations.
The risks associated with the Hunk Companion plugin and the apparent sophistication of these attacks follow a concerning trend in cybersecurity that emphasizes the need for vigilant monitoring and proactive measures. This incident serves as a sobering reminder of the vulnerabilities inherent in widespread software platforms and the importance of timely updates to mitigate risks.
