Protect Your WordPress Site: Critical Vulnerability in Hunk Companion Plugin Exploited
Hackers are actively targeting a critical vulnerability in the Hunk Companion plugin, taking advantage of security flaws to install and activate other plugins with exploitable vulnerabilities from the WordPress.org repository. This ongoing exploitation exposes affected websites to significant risks, including remote code execution (RCE), SQL injection, cross-site scripting (XSS), and the creation of unauthorized admin accounts.
Discovery and Exploitation of the WordPress Plugin Vulnerability
This malicious activity was identified by WPScan, a leading authority in WordPress security, which promptly reported the issue to the Hunk Companion team. A security patch addressing this zero-day vulnerability was released yesterday.
The Hunk Companion plugin, developed to complement customizable themes by ThemeHunk, enhances website functionality but is not a standalone tool. Despite its niche audience, it is currently active on over 10,000 WordPress sites, according to WordPress.org statistics.
Critical Flaw: CVE-2024-11972
The vulnerability, tracked as CVE-2024-11972, was discovered by WPScan researcher Daniel Rodriguez. This flaw allows attackers to install arbitrary plugins by exploiting unauthenticated POST requests. All versions of Hunk Companion prior to 1.9.0 are affected, making an upgrade to the latest version essential.
While investigating an infected WordPress site, WPScan observed attackers exploiting CVE-2024-11972 to install an outdated and vulnerable version of WP Query Console, a plugin last updated over seven years ago. By leveraging the zero-day CVE-2024-50498 within WP Query Console, hackers executed malicious PHP code on compromised websites, escalating the attack.
Persistent Backdoor Access: A Threat to WordPress Websites
WPScan revealed that attackers use the RCE vulnerability to deploy a PHP dropper into the root directory of affected sites. This backdoor facilitates unauthenticated uploads via GET requests, granting hackers persistent access to the compromised websites.
Interestingly, this is not the first time Hunk Companion has faced similar issues. A previous vulnerability, CVE-2024-9707, was patched in version 1.8.5, but attackers managed to bypass that fix, highlighting the importance of robust and comprehensive security updates.
How to Protect Your WordPress Site
Given the critical nature of this vulnerability and its active exploitation, it’s imperative for users of Hunk Companion to upgrade to version 1.9.0 immediately. As of now, only 1,800 downloads of the updated version have been recorded, leaving over 8,000 WordPress websites vulnerable to attack.
To safeguard your site:
Update all plugins and themes regularly to their latest versions.
Use a reliable WordPress security plugin to monitor suspicious activities.
Regularly back up your website to prevent data loss in case of an attack.
Implement firewalls and restrict file uploads to authorized users only.
Stay Ahead of WordPress Security Risks
As a WordPress user, proactive measures are your first line of defense. Hackers continuously look for vulnerabilities, so keeping your plugins and themes updated is essential to avoid falling victim to such attacks.
