Active Exploitation Observed for CVE-2024-11972 (CVSS 9.8): WordPress Plugin Flaw Exposes 10,000+ Sites to Backdoor Attacks

by do son ·

CVE-2024-11972 - Hunk Companion

A serious vulnerability in the Hunk Companion plugin for WordPress, tracked as CVE-2024-11972 (CVSS 9.8), has been discovered by the WPScan team. This flaw, present in versions below 1.9.0, allows unauthenticated attackers to install and activate plugins directly from the WordPress.org repository, putting thousands of websites at risk.

The vulnerability enables attackers to exploit the plugin’s themehunk-import endpoint, bypassing intended permission checks. According to the WPScan team, the flaw “allows the download of plugins, even if they have been closed or removed from the repository.” This provides an avenue for attackers to install vulnerable or outdated plugins, which can then be leveraged for further attacks such as:

  • Remote Code Execution (RCE): Gaining unauthorized control of the site.
  • SQL Injection and XSS: Manipulating databases or injecting malicious scripts.
  • Administrative Backdoors: Granting persistent, unauthorized access to the site.

In one observed exploitation chain, attackers installed the vulnerable WP Query Console plugin, which was used to execute arbitrary PHP code. This enabled the creation of a PHP dropper in the root directory, facilitating ongoing backdoor access.

The vulnerability stems from a permission_callback function in the plugin that failed to return a proper boolean value. WPScan’s analysis highlighted, “failed conditions return new WP_REST_Response, which is not a boolean or WP_Error. As a result, the permission_callback always evaluates to true, allowing unauthenticated requests to bypass the intended checks.”

This oversight enabled attackers to exploit the tp_install function, invoking the HUNK_COMPANION_SITES_BUILDER_SETUP class to install and activate plugins without authorization.

The vulnerability was patched in Hunk Companion version 1.9.0. Developers addressed the issue by modifying the permission_callback to correctly deny unauthorized requests.

With over 10,000 active installations of Hunk Companion, the vulnerability exposed numerous websites to potential compromise. WPScan noted, “This vulnerability represents a significant and multifaceted threat, targeting sites that use both a ThemeHunk theme and the Hunk Companion plugin.”

WPScan recommends the following best practices for WordPress site owners:

  • Update Plugins Regularly: Ensure all plugins are updated to their latest versions.
  • Audit Third-Party Plugins: Regularly review the security status of installed plugins.
  • Disable Unused Plugins: Remove unnecessary extensions to reduce the attack surface.

Related Posts:

Tags: CVE-2024-11972Hunk CompanionPHP dropperwordpress