Hunk Companion Plugin Vulnerability Leaves Thousands of WordPress Sites Exposed

WordPress users are urged to update their plugins immediately after a critical vulnerability in the “Hunk Companion” plugin was discovered and actively exploited. The flaw, tracked as CVE-2024-11972, allows attackers to install and activate vulnerable plugins directly from the WordPress.org repository.

How the Vulnerability Works

Hunk Companion is a plugin designed to enhance ThemeHunk WordPress themes. It’s estimated to be used by over 10,000 websites. The vulnerability allows attackers to send unauthenticated POST requests to install arbitrary plugins.

WPScan researchers discovered this active exploitation, which involves using the vulnerable version of the plugin WP Query Console to execute malicious PHP code. This outdated plugin, last updated over 7 years ago, has its own zero-day RCE flaw (CVE-2024-50498), which attackers leverage for further malicious activity.

The Impact

“In the infections we’ve analyzed, attackers use the RCE to write a PHP dropper to the site’s root directory,” explains WPScan.

“This dropper allows continued unauthenticated uploads via GET requests, enabling persistent backdoor access to the site.”

What to Do

Users of Hunk Companion are strongly advised to update to version 1.9.0 immediately. Although the latest version has been downloaded approximately 1,800 times, this still leaves a significant number of websites vulnerable. This vulnerability highlights the importance of staying up to date on your WordPress plugins and themes to minimize your risk of a security breach.