Malicious actors are exploiting a critical vulnerability in the Hunk Companion plugin for WordPress to install other vulnerable plugins that could open the door to a variety of attacks.
The flaw, tracked as CVE-2024-11972 (CVSS score: 9.8), affects all versions of the plugin prior to 1.9.0. The plugin has over 10,000 active installations.
“This flaw poses a significant security risk, as it enables attackers to install vulnerable or closed plugins, which can then be exploited for attacks such as Remote Code Execution (RCE), SQL Injection, Cross‑Site Scripting (XSS), or even the creation of administrative backdoors,” WPScan said in a report.
To make matters worse, attackers could leverage outdated or abandoned plugins to circumvent security measures, tamper with database records, execute malicious scripts, and seize control of the sites.
WPScan said it uncovered the security defect when analyzing an infection on an unspecified WordPress site, finding that threat actors were weaponizing it to install a now-closed plugin called WP Query Console, and subsequently leveraging an RCE bug in the installed plugin to to execute malicious PHP code.
It’s worth noting that the zero-day RCE flaw in the WP Query Console, tracked as CVE-2024-50498 (CVSS score: 10.0), remains unpatched.
CVE-2024-11972 is also a patch bypass for CVE‑2024‑9707 (CVSS score: 9.8), a similar vulnerability in Hunk Companion that could enable the installation or activation of unauthorized plugins. This shortcoming was addressed in version 1.8.5.
At its core, it stems from a bug in the script “hunk‑companion/import/app/app.php” that allows unauthenticated requests to bypass checks put in place for verifying if the current user has permission to install plugins.
“What makes this attack particularly dangerous is its combination of factors — leveraging a previously patched vulnerability in Hunk Companion to install a now‑removed plugin with a known Remote Code Execution flaw,” WPScan’s Daniel Rodriguez noted.
“The chain of exploitation underscores the importance of securing every component of a WordPress site, especially third‑party themes and plugins, which can become critical points of entry for attackers.”
The development comes as Wordfence disclosed a high-severity flaw in the WPForms plugin (CVE-2024-11205, CVSS score: 8.5) that makes it possible for authenticated attackers, with Subscriber-level access and above, to refund Stripe payments and cancel subscriptions.
The vulnerability, which affects versions 1.8.4 up to, and including, 1.9.2.1, has been resolved in versions 1.9.2.2 or later. The plugin is installed on over 6 million WordPress sites.
