BleepingComputer reports that a zero-day vulnerability in the WordPress plugin called Hunk Companion is being actively exploited by threat actors, who are using it to install outdated and vulnerable plugins from the WordPress.org repository.
The installed plugins contain exploitable flaws, such as remote code execution, SQL injection, and cross-site scripting, allowing attackers to compromise targeted websites.
The flaw, identified as CVE-2024-11972, allows unauthorized POST requests to install plugins arbitrarily. Hunk Companion, a plugin that supports customizable themes by ThemeHunk, has over 10,000 active installations. Researchers at WPScan, who first discovered the vulnerability, observed attackers using this flaw to install outdated plugins such as WP Query Console, which was last updated over seven years ago. Hackers exploit this to execute malicious PHP code, creating persistent backdoor access through a PHP dropper uploaded to the site’s root directory. The vulnerability impacts all versions before 1.9.0, which was released to address the issue. A related flaw, CVE-2024-9707, was patched earlier but proved insufficient as attackers bypassed the fix. The researchers are urging Hunk Companion users to update to version 1.9.0 immediately. Despite the patch, only 1,800 sites have been updated, leaving around 8,000 sites vulnerable to further exploitation.
