Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Another major WordPress plugin has been hacked to try and hijack your sites

Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS).

  • Researchers from WPScan find flaw in Hunk Companion, a plugin with roughly 10,000 users
  • The flaw allows crooks to install other plugins from the WP repository, including those with known RCE flaws
  • WPScan found the flaw while investigating an active attack

Hackers have reportedly found a way to install old, outdated, and vulnerable plugins on WordPress websites, directly from the WordPress plugin repository. That way, they are able to introduce vulnerabilities to target sites made with the website builder, which grant them remote code execution (RCE) abilities, SQL injection, cross-site scripting (XSS), admin account creation, and more.

The bug that allows crooks to do that was found in Hunk Companion, a utility plugin designed to enhance the functionality of WordPress themes developed by ThemeHunk.

It typically provides features like additional widgets, customization options, and demo content import functionality. It often serves as a companion to ThemeHunk's themes, unlocking advanced design and usability features not available by default.

Critical vulnerability

Researchers from WPScan found the flaw and reported it to the plugin’s developers, who came back with a fix within days.

While investigating a reported cyberattack, WPScan found that a threat actor abused the bug to install a vulnerable version of WP Query Console, a plugin that hasn’t been patched in seven years. This plugin is known for being flawed, allowing crooks to run malicious PHP code on target sites via a remote code execution bug tracked as CVE-2024-50498.

Hunk Companion is currently used by more than 10,000 websites, which isn’t exactly an impressive figure in the world of WordPress sites, but still not negligible.

The bug used to install flawed plugins is tracked as CVE-2024-11972, and has a severity score of 9.1 (critical). The earliest version that addressed it is 1.9.0, and users are advised to install it as soon as possible. BleepingComputer has also noticed that a similar bug was patched in Hunk Companion 1.8.5, tracked as CVE-2024-9707. It seems the patch didn’t work as intended as there are obvious workarounds.

At press time, 11.6% of users upgraded to v1.9, meaning roughly 8,800 sites are still vulnerable.

Via BleepingComputer

You might also like

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.