Vulnerability with severity rating of 9.8 out of possible 10 still live on >8,000 sites.
Credit: Getty Images
Thousands of sites running WordPress remain unpatched against a critical security flaw in a widely used plugin that was being actively exploited in attacks that allow for unauthenticated execution of malicious code, security researchers said.
The vulnerability, tracked as CVE-2024-11972, is found in Hunk Companion, a plugin that runs on 10,000 sites that use the WordPress content management system. The vulnerability, which carries a severity rating of 9.8 out of a possible 10, was patched earlier this week. At the time this post went live on Ars, figures provided on the Hunk Companion page indicated that less than 12 percent of users had installed the patch, meaning nearly 9,000 sites could be next to be targeted.
Significant, multifaceted threat
“This vulnerability represents a significant and multifaceted threat, targeting sites that use both a ThemeHunk theme and the Hunk Companion plugin,” Daniel Rodriguez, a researcher with WordPress security firm WP Scan, wrote. “With over 10,000 active installations, this exposed thousands of websites to anonymous, unauthenticated attacks capable of severely compromising their integrity.”
Ars Video
How The Callisto Protocol’s Team Designed Its Terrifying, Immersive Audio
Rodriquez said WP Scan discovered the vulnerability while analyzing the compromise of a customer’s site. The firm found that the initial vector was CVE-2024-11972. The exploit allowed the hackers behind the attack to cause vulnerable sites to automatically navigate to wordpress.org and download WP Query Console, a plugin that hasn’t been updated in years.
The attackers then exploited a vulnerability in the latter plugin that allowed them to execute malicious code. The WP Query Console vulnerability, tracked as CVE-2024-50498, carries a severity score of 10 and remains unpatched.
The WP Query Scan page on wordpress.org says that the plugin was made temporarily unavailable as of October pending review. The hackers behind the attacks were able to get their exploit to download the years-old WP Query Console plugin anyway, because they used a special wordpress.org URL that overrode the block. Rodriguez said the vulnerability stemmed from a flaw in Hunk Companion code that allowed “unauthenticated requests to bypass the intended checks” that led to the “installation and activation of arbitrary plugins.”
The Hunk Companion vulnerability has been patched in version 1.9.0, which was released two days ago. Hunk Companion developers patched a similar vulnerability with the release of version 1.8.5. The earlier vulnerability was tracked as CVE-2024-9707 and also had a severity rating of 9.8.
As noted earlier, the page for that plugin indicated that only 11.9 percent of sites using the plugin had installed the update. It’s not clear if the special wordpress.org URL still permits the downloading of plugins that have otherwise been blocked. If so, any unpatched sites remain vulnerable to the same exploits.
WordPress.org representatives didn’t immediately respond to an email asking why the override mechanism had been available previously or if it remained available now.
