info@thehackernews.com (The Hacker News)
2024-12-12 04:18:00
thehackernews.com
Malicious actors are exploiting a critical vulnerability in the Hunk Companion plugin for WordPress to install other vulnerable plugins that could open the door to a variety of attacks.
The flaw, tracked as CVE-2024-11972 (CVSS score: 9.8), affects all versions of the plugin prior to 1.9.0. The plugin has over 10,000 active installations.
“This flaw poses a significant security risk, as it enables attackers to install vulnerable or closed plugins, which can then be exploited for attacks such as Remote Code Execution (RCE), SQL Injection, Cross‑Site Scripting (XSS), or even the creation of administrative backdoors,” WPScan said in a report.
To make matters worse, attackers could leverage outdated or abandoned plugins to circumvent security measures, tamper with database records, execute malicious scripts, and seize control of the sites.
WPScan said it uncovered the security defect when analyzing an infection on an unspecified WordPress site, finding that threat actors were weaponizing it to install a now-closed plugin called WP Query Console, and subsequently leveraging an RCE bug in the installed plugin to to execute malicious PHP code.
It’s worth noting that the zero-day RCE flaw in the WP Query Console, tracked as CVE-2024-50498 (CVSS score: 10.0), remains unpatched.
CVE-2024-11972 is also a patch bypass for CVE‑2024‑9707 (CVSS score: 9.8), a similar vulnerability in Hunk Companion that could enable the installation or activation of unauthorized plugins. This shortcoming was addressed in version 1.8.5.
At its core, it stems from a bug in the script “hunk‑companion/import/app/app.php” that allows unauthenticated requests to bypass checks put in place for verifying if the current user has permission to install plugins.
“What makes this attack particularly dangerous is its combination of factors — leveraging a previously patched vulnerability in Hunk Companion to install a now‑removed plugin with a known Remote Code Execution flaw,” WPScan’s Daniel Rodriguez noted.
“The chain of exploitation underscores the importance of securing every component of a WordPress site, especially third‑party themes and plugins, which can become critical points of entry for attackers.”
The development comes as Wordfence disclosed a high-severity flaw in the WPForms plugin (CVE-2024-11205, CVSS score: 8.5) that makes it possible for authenticated attackers, with Subscriber-level access and above, to refund Stripe payments and cancel subscriptions.
The vulnerability, which affects versions 1.8.4 up to, and including, 1.9.2.1, has been resolved in versions 1.9.2.2 or later. The plugin is installed on over 6 million WordPress sites.
Upgrade your audio game with the Logitech for Creators Blue Yeti USB Microphone. With over 33,730 ratings and an impressive 4.6 out of 5 stars, it’s no wonder this is an Amazon’s Choice product. Recently, 5K+ units were purchased in the past month.
Available in five stunning colors: Teal, Silver, Pink Dawn, Midnight Blue, and Blackout, this microphone is perfect for creators looking to produce exceptional audio. Priced at only $84.99, it’s a deal you can’t afford to miss.
Elevate your recordings with clear broadcast-quality sound and explore your creativity with enhanced effects, advanced modulation, and HD audio samples. Order now for just $84.99 on Amazon!
Support Techcratic
If you find value in Techcratic’s insights and articles, consider supporting us with Bitcoin. Your support helps me, as a solo operator, continue delivering high-quality content while managing all the technical aspects, from server maintenance to blog writing, future updates, and improvements. Support Innovation! Thank you.
Bitcoin Address:
bc1qlszw7elx2qahjwvaryh0tkgg8y68enw30gpvge
Please verify this address before sending funds.
Bitcoin QR Code
Simply scan the QR code below to support Techcratic.
Please read the Privacy and Security Disclaimer on how Techcratic handles your support.
Disclaimer: As an Amazon Associate, Techcratic may earn from qualifying purchases.