Researchers at WP Scan have discovered a critical vulnerability in the WordPress plugin Hunk Companion. A popular tool that bundles everything you need to create a complete website. The patch to fix the flaw, identified with the code CVE-2024-11972 , is already available. But has been downloaded by less than 12% of users. And that means more than 8,000 websites are at serious risk.
The vulnerability has earned a severity rating of 9.8 out of 10 points according to the CVE (Common Vulnerabilities and Exposures) system, and that’s no coincidence. In fact, it allows digital criminals to force the installation and activation of dangerous plugins such as WP Query Console on the targeted sites . And it is the latter that represents the real threat. Since it allows the execution of malicious code without the need for authentication.
This vulnerability, which targets websites that use both a ThemeHunk theme and the Hunk Companion plugin. Poses a serious and complex threat. With over 10,000 active installations, this has exposed thousands of websites to anonymous and unauthenticated attacks that can severely compromise their integrity – Daniel Rodriguez of WP Scan
WP Query Console,which has not been updated for years, hides the CVE-2024-50498 vulnerability . So fearsome that it has earned a rating of 10 out of 10 points on the CVE system. It is precisely because of this that the download of the plugin was blocked in October. However, the criminals circumvented the impediment by using a special alternative address of wordpress.org. Fortunately, the dangerous plugin was later completely removed. But the problem of infected sites remains in relation to which the researchers of WP Scan recommend. Obviously, to install version 1.9.0 of Hunk Companion as quickly as possible. Which is effectively safe from the insidious exploit.https://youtu.be/WOiYGtAH4NU?si=mLWSv5TQtiMyamzJ