Another major WordPress plugin has been hacked to try and hijack your sites

(Image credit: Shutterstock/monticello)

Researchers from WPScan find flaw in Hunk Companion, a plugin with roughly 10,000 users
The flaw allows crooks to install other plugins from the WP repository, including those with known RCE flaws
WPScan found the flaw while investigating an active attack

Hackers have reportedly found a way to install old, outdated, and vulnerable plugins on WordPress websites, directly from the WordPress plugin repository. That way, they are able to introduce vulnerabilities to target sites made with the website builder, which grant them remote code execution (RCE) abilities, SQL injection, cross-site scripting (XSS), admin account creation, and more.

The bug that allows crooks to do that was found in Hunk Companion, a utility plugin designed to enhance the functionality of WordPress themes developed by ThemeHunk.

It typically provides features like additional widgets, customization options, and demo content import functionality. It often serves as a companion to ThemeHunk's themes, unlocking advanced design and usability features not available by default.

Critical vulnerability

Researchers from WPScan found the flaw and reported it to the plugin’s developers, who came back with a fix within days.

While investigating a reported cyberattack, WPScan found that a threat actor abused the bug to install a vulnerable version of WP Query Console, a plugin that hasn’t been patched in seven years. This plugin is known for being flawed, allowing crooks to run malicious PHP code on target sites via a remote code execution bug tracked as CVE-2024-50498.

Hunk Companion is currently used by more than 10,000 websites, which isn’t exactly an impressive figure in the world of WordPress sites, but still not negligible.

The bug used to install flawed plugins is tracked as CVE-2024-11972, and has a severity score of 9.1 (critical). The earliest version that addressed it is 1.9.0, and users are advised to install it as soon as possible. BleepingComputer has also noticed that a similar bug was patched in Hunk Companion 1.8.5, tracked as CVE-2024-9707. It seems the patch didn’t work as intended as there are obvious workarounds.

At press time, 11.6% of users upgraded to v1.9, meaning roughly 8,800 sites are still vulnerable.

Via BleepingComputer

Researchers develop new tool for spotting Android malware
Here's a list of the best antivirus options around
These are the best endpoint protection tools right now

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.