Hackers are exploiting a essential vulnerability within the “Hunk Companion” plugin to put in and activate different plugins with exploitable flaws instantly from the WordPress.org repository.
By putting in outdated plugins with recognized vulnerabilities with obtainable exploits, the attackers can entry a big pool of flaws that result in distant code execution (RCE), SQL injection, cross-site scripting (XSS) flaws, or create backdoor admin accounts.
The exercise was found by WPScan, who reported it to Hunk Companion, with a safety replace addressing the zero-day flaw launched yesterday.
Putting in weak plugins
Hunk Companion is a WordPress plugin designed to enrich and improve the performance of themes developed by ThemeHunk, a supplier of customizable WordPress themes, so it is extra of an add-on moderately than a standalone plugin.
In line with WordPress.org stats, Hunk Companion is at present utilized by over 10,000 WordPress websites, so it is a comparatively area of interest device within the house.
The essential vulnerability was found by WPScan researcher Daniel Rodriguez and is tracked as CVE-2024-11972. The flaw permits the arbitrary set up of plugins by way of unauthenticated POST requests.
The difficulty impacts all variations of Hunk Companion earlier than the most recent 1.9.0, launched yesterday, which addressed the issue.
Whereas investigating a WordPress web site an infection, WPScan found energetic exploitation of CVE-2024-11972 to put in a weak model of WP Question Console.
That is an obscure plugin final up to date over 7 years in the past, which the hackers exploited to execute malicious PHP code on the focused websites, leveraging the zero-day RCE flaw CVE-2024-50498.
“Within the infections we have analyzed, attackers use the RCE to put in writing a PHP dropper to the location’s root listing,” explains WPScan.
“This dropper permits continued unauthenticated uploads through GET requests, enabling persistent backdoor entry to the location.”
It is price noting that Hunk Companion fastened an analogous flaw in model 1.8.5, which was tracked beneath CVE-2024-9707, however apparently, the patch wasn’t ample, and methods to bypass it exist.
Given the flaw’s severity and its energetic exploitation standing, customers of Hunk Companion are really helpful to replace to 1.9.0 as quickly as attainable.
On the time of writing, the most recent model has been downloaded roughly 1,800 occasions, so not less than eight thousand web sites stay weak to exploitation.
