Malicious actors are exploiting a crucial vulnerability within the Hunk Companion plugin for WordPress to put in different weak plugins that would open the door to quite a lot of assaults.
The flaw, tracked as CVE-2024-11972 (CVSS rating: 9.8), impacts all variations of the plugin previous to 1.9.0. The plugin has over 10,000 energetic installations.
“This flaw poses a big security threat, because it allows attackers to put in weak or closed plugins, which might then be exploited for assaults comparable to Distant Code Execution (RCE), SQL Injection, Cross‑Website Scripting (XSS), and even the creation of administrative backdoors,” WPScan mentioned in a report.
To make issues worse, attackers may leverage outdated or deserted plugins to avoid security measures, tamper with database data, execute malicious scripts, and seize management of the websites.
WPScan mentioned it uncovered the security defect when analyzing an an infection on an unspecified WordPress web site, discovering that risk actors have been weaponizing it to put in a now-closed plugin referred to as WP Question Console, and subsequently leveraging an RCE bug within the put in plugin to to execute malicious PHP code.
It is price noting that the zero-day RCE flaw within the WP Question Console, tracked as CVE-2024-50498 (CVSS rating: 10.0), stays unpatched.
CVE-2024-11972 can be a patch bypass for CVE‑2024‑9707 (CVSS rating: 9.8), an identical vulnerability in Hunk Companion that would allow the set up or activation of unauthorized plugins. This shortcoming was addressed in model 1.8.5.
At its core, it stems from a bug within the script “hunk‑companion/import/app/app.php” that enables unauthenticated requests to bypass checks put in place for verifying if the present consumer has permission to put in plugins.
“What makes this assault significantly harmful is its mixture of things — leveraging a beforehand patched vulnerability in Hunk Companion to put in a now‑eliminated plugin with a recognized Distant Code Execution flaw,” WPScan’s Daniel Rodriguez famous.
“The chain of exploitation underscores the significance of securing each part of a WordPress web site, particularly third‑social gathering themes and plugins, which might turn into crucial factors of entry for attackers.”
The event comes as Wordfence disclosed a high-severity flaw within the WPForms plugin (CVE-2024-11205, CVSS rating: 8.5) that makes it doable for authenticated attackers, with Subscriber-level entry and above, to refund Stripe funds and cancel subscriptions.
The vulnerability, which impacts variations 1.8.4 as much as, and together with, 1.9.2.1, has been resolved in variations 1.9.2.2 or later. The plugin is put in on over 6 million WordPress websites.
