Hunk Companion WordPress plugin exploited by hackers to install vulnerable plugins
Take action: If you are running Hunk Companion WordPress plugin, patch it IMMEDIATELY. It's been actively exploited and your site is going to be hacked. So don't delay, updating the plugin is trivial.
Learn More
Security researchers at WPScan are reporting active exploitation of a vulnerability in the Hunk Companion WordPress plugin. This vulnerability enables attackers to install and activate potentially vulnerable plugins directly from the WordPress.org repository without authentication.
The vulnerability is tracked as CVE-2024-11972 (CVSS score not assigned) and allows arbitrary plugin installation through unauthenticated POST requests. The flaw affects all versions of Hunk Companion prior to version 1.9.0. As of the report date, only approximately 1,800 sites have updated to the patched version 1.9.0, leaving an estimated 8,200 WordPress sites potentially vulnerable to exploitation.
The attackers have been observed exploiting this vulnerability to install outdated versions of plugins with known security flaws, specifically targeting WP Query Console, which hasn't been updated in over 7 years. In the observed attacks, threat actors leveraged the zero-day remote code execution vulnerability (CVE-2024-50498) in WP Query Console to execute malicious PHP code. The attackers then create a PHP dropper in the site's root directory, establishing persistent backdoor access through unauthenticated GET requests.
This vulnerability appears to be a bypass of a previous security fix. A similar flaw was addressed in version 1.8.5 (tracked as CVE-2024-9707), but the patch proved insufficient to fully remediate the security issue.
Site administrators using the Hunk Companion plugin should immediately update to version 1.9.0, which contains the security patch for this vulnerability.
