Intrucept

Security Advisory

Critical Flaw in WordPress Hunk Companion Plugin Enables Unauthorized Plugin Installation

Summary

OEM

WordPress

Severity

Critical

Date of Announcement

2024-12-13

CVSS score

9.8

CVE

CVE-2024-11972

Exploited in Wild

Yes

Patch/Remediation Available

Yes 

Advisory Version

1.0

Overview

A Critical flaw in the WordPress Hunk Companion plugin has been actively exploited to enable unauthorized installation and activation of plugins. This vulnerability stems from insufficient authorization checks on a REST API endpoint. Exploited sites may see attackers silently install malicious or outdated plugins, leading to severe security risks, including remote code execution (RCE), unauthorized access, and website compromise.

Vulnerability Name

CVE ID

Product Affected

Severity

CVSS Score

Hunk Companion Plugin Vulnerability

CVE-2024-11972

Hunk Companion Plugin for WordPress

Critical

9.8

Technical Summary

CVE ID

System Affected

Vulnerability Details

Impact

CVE-2024-11972

Hunk Companion plugin versions  prior to 1.8.4

This vulnerability is caused by improper validation mechanisms in the file hunk-companion/import/app/app.php, a script responsible for handling plugin import and installation processes. At its core, the bug permits unauthenticated requests to bypass critical permission checks intended to ensure that only authorized users can install plugins.

This vulnerability potentially leads to remote code execution, unauthorized access, and full website compromise.

Remediations

  • “Hunk Companion” WordPress plugin, should update to version 9.0 or later.

General Recommendations

  • Regularly inspect your WordPress site for unknown plugins or modifications.
  • Reducing the risk of delayed patching can be achieved by enabling automatic updates for all plugins
  • Review server and WordPress logs for unauthorized login attempts to detect possible compromise.
  • Keep all plugins, themes, and WordPress core updated. Use strong, unique passwords and enable two-factor authentication for admin accounts.

References

Blogs

Tailored Security Solutions for Maritime Operations by Intrucept  

Tailored Security Solutions from Maritime Operations by Intrucept 

Continue Reading
Events

Future of Maritime Innovation at
METS Trade 2024; Intrucept

Maritime industry worldwide is witnessing massive changes in terms of continuous innovation and managing cyber risk on top priority list. In doing so enabling innovation becomes easier along with exploring various options that approaches and addresses cyber security in the maritime sector.

Now maritime professionals are ready to explore the latest industry trends and adopt solutions that dig deeper into maritime organizations’ challenges and priorities related to cyber security.

Intrucept Participates at the METS Trade 2024

Intrucept, a leader in cybersecurity solutions is excited to announce participation at the prestigious METS Trade 2024 in Amsterdam, Date Nov 19-21(2024).

This marks a significant step forward in transforming the maritime industry by combining the power of cutting-edge cybersecurity solutions.

About Intrucept: Ensuring Maritime Security in a Digital Age

As digital threats evolve, Intrucept is at the forefront of cyber security, providing comprehensive protection for maritime operations. From vessel systems to operational networks, we ensure that your fleet stays secure, resilient, and ready for the challenges of tomorrow.

Our solutions are designed to protect against cyberattacks, safeguard sensitive data, and maintain the integrity of vessel operations, all while enhancing overall business efficiency.

Why We’re Joining Forces at METS Trade 2024

At METS Trade 2024, we’ll be showcasing our unique partnership and how combining advanced cybersecurity with innovative engineering can provide unparalleled protection and efficiency for the maritime industry. Together, we are shaping the future of shipping — where digital security and operational excellence go hand in hand.

What You Can Expect from Our Joint Presence at METS 2024

Innovative cybersecurity solutions for shipping operations: Protect your vessels, data, and systems from the growing cyber threat landscape.

State-of-the-art shipping engineering technologies: Learn how we can optimize vessel performance, enhance fuel efficiency, and ensure compliance with global maritime standards.

Collaborative insights: Our team will be on hand to discuss how we can work together to make your operations safer, smarter, and more sustainable.

We invite you to visit our booth at METS Trade 2024 to explore how our solutions can help future-proof your business, improve operational resilience, and safeguard your digital infrastructure.

Details:

Event: METS Trade 2024

Dates: November 19-21, 2024

Location: Amsterdam RAI, Amsterdam, Netherlands

We look forward to meeting you and discussing how we can drive innovation, security, and efficiency in your maritime operations.

Scroll to top