Malicious actors are exploiting a crucial vulnerability within the Hunk Companion plugin for WordPress to put in different susceptible plugins that would open the door to quite a lot of assaults.
The flaw, tracked as CVE-2024-11972 (CVSS rating: 9.8), impacts all variations of the plugin previous to 1.9.0. The plugin has over 10,000 energetic installations.
“This flaw poses a big safety threat, because it permits attackers to put in susceptible or closed plugins, which may then be exploited for assaults corresponding to Distant Code Execution (RCE), SQL Injection, Cross‑Web site Scripting (XSS), and even the creation of administrative backdoors,” WPScan mentioned in a report.
To make issues worse, attackers may leverage outdated or deserted plugins to bypass safety measures, tamper with database data, execute malicious scripts, and seize management of the websites.
WPScan mentioned it uncovered the safety defect when analyzing an an infection on an unspecified WordPress web site, discovering that risk actors have been weaponizing it to put in a now-closed plugin known as WP Question Console, and subsequently leveraging an RCE bug within the put in plugin to to execute malicious PHP code.
It is price noting that the zero-day RCE flaw within the WP Question Console, tracked as CVE-2024-50498 (CVSS rating: 10.0), stays unpatched.
CVE-2024-11972 can also be a patch bypass for CVE‑2024‑9707 (CVSS rating: 9.8), an analogous vulnerability in Hunk Companion that would allow the set up or activation of unauthorized plugins. This shortcoming was addressed in model 1.8.5.
At its core, it stems from a bug within the script “hunk‑companion/import/app/app.php” that permits unauthenticated requests to bypass checks put in place for verifying if the present person has permission to put in plugins.
“What makes this assault notably harmful is its mixture of things — leveraging a beforehand patched vulnerability in Hunk Companion to put in a now‑eliminated plugin with a identified Distant Code Execution flaw,” WPScan’s Daniel Rodriguez famous.
“The chain of exploitation underscores the significance of securing each part of a WordPress web site, particularly third‑occasion themes and plugins, which may develop into crucial factors of entry for attackers.”
The event comes as Wordfence disclosed a high-severity flaw within the WPForms plugin (CVE-2024-11205, CVSS rating: 8.5) that makes it potential for authenticated attackers, with Subscriber-level entry and above, to refund Stripe funds and cancel subscriptions.
The vulnerability, which impacts variations 1.8.4 as much as, and together with, 1.9.2.1, has been resolved in variations 1.9.2.2 or later. The plugin is put in on over 6 million WordPress websites.
