OEM | WordPress |
Severity | Critical |
Date of Announcement | 2024-12-13 |
CVSS score | 9.8 |
CVE | CVE-2024-11972 |
Exploited in Wild | Yes |
Patch/Remediation Available | Yes |
Advisory Version | 1.0 |
A Critical flaw in the WordPress Hunk Companion plugin has been actively exploited to enable unauthorized installation and activation of plugins. This vulnerability stems from insufficient authorization checks on a REST API endpoint. Exploited sites may see attackers silently install malicious or outdated plugins, leading to severe security risks, including remote code execution (RCE), unauthorized access, and website compromise.
Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
Hunk Companion Plugin Vulnerability | CVE-2024-11972 | Hunk Companion Plugin for WordPress | Critical | 9.8 |
CVE ID | System Affected | Vulnerability Details | Impact |
CVE-2024-11972 | Hunk Companion plugin versions prior to 1.8.4 | This vulnerability is caused by improper validation mechanisms in the file hunk-companion/import/app/app.php, a script responsible for handling plugin import and installation processes. At its core, the bug permits unauthenticated requests to bypass critical permission checks intended to ensure that only authorized users can install plugins. | This vulnerability potentially leads to remote code execution, unauthorized access, and full website compromise. |
OEM | Microsoft |
Severity | Critical |
Date of Announcement | 2024-12-12 |
CVE | Not yet assigned |
Exploited in Wild | No |
Patch/Remediation Available | Yes (No official patch) |
Advisory Version | 1.0 |
Vulnerability Name | NTLM Zero-Day |
A recently discovered zero-day vulnerability in Windows, enables attackers to steal user credentials through a malicious file viewed in File Explorer. This “clickless” exploit bypasses the need for user interaction, creating significant security risks. While Microsoft investigates, 0patch has released an unofficial micropatch to mitigate the threat. Users are advised to apply the patch or implement mitigations to reduce exposure.
Vulnerability Name | CVE ID | Product Affected | Severity |
NTLM zero-day | Not Yet Assigned | Microsoft Windows | Critical |
CVE ID | System Affected | Vulnerability Details | Impact |
Not Yet Assigned | Windows 7 to 11 (24H2), Server 2008 R2 to 2022 | A zero-day vulnerability that allows NTLM credential theft by viewing a malicious file in File Explorer. The flaw forces an outbound NTLM connection, leaking NTLM hashes. Exploitation requires no user interaction beyond viewing a malicious file, which can be delivered through shared folders, USB drives, or malicious downloads in the browser's default folder. | Enables attackers to steal NTLM credentials and gain unauthorized access of the affected systems. |
The company acknowledged it is investigating claims by a public threat group linked to the November ransomware attack.
Continue Reading