Cybersecurity researchers have identified an actively exploited critical vulnerability in the widely-used WordPress plugin Hunk Companion. The security flaw, designated as CVE-2024-11972, has received a critical CVSS score of 9.8, enabling unauthorized attackers to install malicious plugins on vulnerable WordPress websites without authentication.
Vulnerability Impact and Scope
The Hunk Companion plugin, which enhances ThemeHunk themes functionality, is currently installed on more than 10,000 WordPress websites. Analysis reveals that approximately 88% of these installations remain vulnerable, as only 12% of users have upgraded to the patched version 1.9.0. This widespread exposure presents a significant security risk to the WordPress ecosystem.
Technical Analysis of the Security Flaw
The vulnerability resides in the hunk-companion/import/app/app.php component, where insufficient access control checks allow unauthorized users to bypass authentication mechanisms. Attackers can exploit this flaw through unauthenticated POST requests, enabling them to install arbitrary plugins. This security breach potentially opens affected websites to multiple attack vectors, including Remote Code Execution (RCE), SQL injection, and Cross-Site Scripting (XSS) attacks.
Attack Chain and Exploitation
Security researchers at WPScan have documented active exploitation attempts where attackers leverage CVE-2024-11972 to deploy outdated versions of the WP Query Console plugin. This deprecated plugin contains its own critical RCE vulnerability (CVE-2024-50498) with a maximum CVSS score of 10.0, which attackers subsequently exploit to execute malicious PHP code and gain complete website control.
Security Patch History and Implications
The current vulnerability emerged from an incomplete patch for a previous security flaw, CVE-2024-9707, which also carried a critical CVSS score of 9.8. This pattern suggests underlying issues in the security update development and testing processes, highlighting the importance of comprehensive security reviews in plugin development.
Given the active exploitation and severe potential impact of this vulnerability, WordPress site administrators are strongly advised to immediately update the Hunk Companion plugin to version 1.9.0. Security best practices recommend conducting a thorough audit of installed plugins to detect unauthorized modifications and implementing additional security measures such as Web Application Firewalls (WAF) to protect against similar attacks. Regular security assessments and prompt patch management remain crucial for maintaining WordPress website security.
