Exploiting a critical flaw in the “Hunk Companion” plugin, hackers can seamlessly install and activate vulnerable plugins directly from the WordPress.org repository, leaving websites exposed to potential attacks.
Hackers exploit outdated plugins with known vulnerabilities and accessible exploits to gain access to a vast array of flaws, potentially leading to remote code execution (RCE), SQL injection, cross-site scripting (XSS) attacks, or the creation of backdoor administrator accounts.
A critical vulnerability was discovered by WPScan, which promptly notified Hunk Companion of the issue and provided a patch to mitigate the newly disclosed zero-day exploit.
Putting in weak plugins
The Hunk Companion is a WordPress plugin specifically optimized for themes developed by ThemeHunk, serving as a complementary tool that bolsters theme performance rather than functioning as a standalone plugin in its own right.
According to WordPress.org statistics, Hunk Companion is currently used by more than 10,000 WordPress sites, making it a relatively niche tool in its domain.
The critical vulnerability was discovered by WPScan’s Daniel Rodriguez, identified as. The vulnerability allows for the unrestricted installation of plugins via unchecked POST requests.
The vulnerability affects all iterations of Hunk Companion prior to the latest version, 1.9.0, released yesterday, which effectively resolved the matter.
While analyzing a compromised WordPress site, WPSec identified live exploitation of the recently disclosed CVE-2024-11972 vulnerability, which led to the installation of an outdated version of a plugin.
A widely outdated plugin, left unpatched for over seven years, proved vulnerable to exploitation by hackers, who leveraged a previously unknown zero-day remote code execution (RCE) vulnerability to inject and execute malicious PHP code on targeted websites.
“Attackers exploiting vulnerabilities utilize the Remote Code Execution (RCE) capability to deploy a PHP dropper directly to the affected system’s root directory.”
The vulnerability allows for sustained, unauthorised file uploads via GET requests, thereby perpetuating a covert entry point into the system.
While it’s worth noting that Hunk Companion detected a similar vulnerability in version 1.8.5, which was addressed under bug report number [insert number], unfortunately, the patch did not provide a comprehensive solution, leaving room for exploitation.
Due to the significant nature of the flaws and their potential for being exploited with considerable energy, we strongly recommend that all users of Hunk Companion upgrade to version 1.9.0 at the earliest opportunity.
As this report was compiled, the latest vulnerability had been disclosed, leaving at least 8,000 websites vulnerable to potential attacks.