Critical Flaw in WordPress Hunk Companion Plugin Enables Unauthorized Plugin Installation
Summary
OEM | WordPress |
Severity | Critical |
Date of Announcement | 2024-12-13 |
CVSS score | 9.8 |
CVE | CVE-2024-11972 |
Exploited in Wild | Yes |
Patch/Remediation Available | Yes |
Advisory Version | 1.0 |
Overview
A Critical flaw in the WordPress Hunk Companion plugin has been actively exploited to enable unauthorized installation and activation of plugins. This vulnerability stems from insufficient authorization checks on a REST API endpoint. Exploited sites may see attackers silently install malicious or outdated plugins, leading to severe security risks, including remote code execution (RCE), unauthorized access, and website compromise.
Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
Hunk Companion Plugin Vulnerability | CVE-2024-11972 | Hunk Companion Plugin for WordPress | Critical | 9.8 |
Technical Summary
CVE ID | System Affected | Vulnerability Details | Impact |
CVE-2024-11972 | Hunk Companion plugin versions prior to 1.8.4 | This vulnerability is caused by improper validation mechanisms in the file hunk-companion/import/app/app.php, a script responsible for handling plugin import and installation processes. At its core, the bug permits unauthenticated requests to bypass critical permission checks intended to ensure that only authorized users can install plugins. | This vulnerability potentially leads to remote code execution, unauthorized access, and full website compromise. |
Remediations
- “Hunk Companion” WordPress plugin, should update to version 9.0 or later.
General Recommendations
- Regularly inspect your WordPress site for unknown plugins or modifications.
- Reducing the risk of delayed patching can be achieved by enabling automatic updates for all plugins
- Review server and WordPress logs for unauthorized login attempts to detect possible compromise.
- Keep all plugins, themes, and WordPress core updated. Use strong, unique passwords and enable two-factor authentication for admin accounts.