The vulnerability is rated at an alarming 9.8 out of 10 on the severity scale. Security experts at WP Scan, a firm specializing in WordPress security, have raised concerns over this flaw’s capacity to enable unauthorized execution of malicious code. Daniel Rodriguez, a researcher at the firm, stressed the gravity of the situation, stating that the flaw exposes a multitude of sites using both ThemeHunk themes and the Hunk Companion plugin to serious threats. “This vulnerability represents a significant and multifaceted threat,” he emphasized in a recent analysis.

Rodriguez’s team uncovered the vulnerability while investigating a customer’s site compromise, discovering that the attackers had leveraged CVE-2024-11972 as their initial vector. This exploit allowed hackers to infiltrate affected sites, making them redirect to wordpress.org and download a plugin known as WP Query Console, which has not received updates for several years. Subsequently, the attackers exploited vulnerabilities in WP Query Console—tracked as CVE-2024-50498—to execute malicious actions. This vulnerability carries a severity score of 10, demonstrating an equally pressing risk.

Notably, the WP Query Console plugin faced a temporary unavailability status as of October while undergoing a review process. However, via a specially crafted URL on wordpress.org, attackers circumvention has allowed them to exercise control over the installation of the outdated plugin, thus facilitating their exploit. The core issue lies within the Hunk Companion’s code, where a flaw permits unauthorized requests to bypass intended security checks—enabling the unintended installation and activation of arbitrary plugins on compromised sites.

In response to the threat, Hunk Companion developers rolled out version 1.9.0, which rectifies the vulnerabilities present in earlier editions. Notably, an earlier patch targeting a similar flaw (CVE-2024-9707) was introduced in version 1.8.5—both carrying a severe rating of 9.8. Despite these updates, the statistics remain grim; as mentioned, fewer than 12 percent of existing users had upgraded to the patch as of the latest report. It remains to be clarified whether the means of downloading unapproved plugins persist, thereby compromising unpatched sites if accessible.

Amidst these developments, queries directed toward representatives at WordPress.org regarding the continued availability of the exploitative URL have gone unanswered, leaving many website owners and administrators in an uncertain position. As threats grow ever more complex, the critical need for prompt updates in the WordPress community has never been more apparent.

The situation underscores an ongoing narrative within cybersecurity: outdated plugins and neglected updates can serve as gateways for severe vulnerabilities that compromise not just individual sites but broader community trust in platforms like WordPress. Administrators are urged to act swiftly, safeguard their sites, and remain vigilant against emerging threats. Security remains paramount, and with over 25 years of expertise, this incident serves as a reminder of the importance of adhering to cybersecurity best practices in today’s digital landscape.

According to Patchstack security researcher Rafie Muhammad, the vulnerability allows unauthenticated users to gain administrator-level access through a flaw in the plugin’s privileges system. This access could potentially allow malicious actors to upload and install harmful plugins on compromised sites. The vulnerability originates from a function named ‘is_role_simulation’ and is reminiscent of another serious issue disclosed in August 2024 (CVE-2024-28000), which had a CVSS score of 9.8.

The root of this security gap lies in a weak security hash check that can be easily brute-forced by malicious entities. Such exploitation could abuse the plugin’s crawler feature, allowing attackers to simulate the presence of a logged-in user, including an administrator.

In response, LiteSpeed has removed the flawed role simulation process and implemented a stronger hash generation process. It now utilizes a random value generator to expand the potential output of hashes significantly beyond one million possibilities. Muhammad emphasized the necessity of robust and unpredictable security hashes in his analysis. He noted that common PHP functions like `rand()` and `mt_rand()` may not produce suitable randomness for security applications, especially when not handled properly.

This revelation marks the third security vulnerability reported in the LiteSpeed Cache plugin within the past two months alone, following CVE-2024-44000 and CVE-2024-47374, which had CVSS scores of 7.5 and 7.2 respectively. The frequency of these vulnerabilities raises substantial concerns about the security posture of the plugin.

This announcement comes on the heels of Patchstack revealing critical vulnerabilities in the Ultimate Membership Pro plugin, which could lead to privilege escalation and code execution. Fortunately, those flaws have been addressed in updates following version 12.8.

Furthermore, the ongoing legal disputes between Automattic, the parent company of WordPress, and WP Engine have led to anxieties among developers, prompting some to withdraw their plugins from the WordPress.org repository. This upheaval stresses the importance for users to stay informed through appropriate channels about potential plugin removals and security concerns.

Patchstack CEO Oliver Sild cautioned that without manual updates for plugins removed from the WordPress repository, users risk missing vital security patches that could leave their sites vulnerable. Hackers are known to exploit existing vulnerabilities, and it is crucial for website owners to remain vigilant in protecting their platforms from potential threats.

As the tech community continues to grapple with these pressing security challenges, users are encouraged to take proactive measures to secure their sites. Awareness and timely updates are critical defenses against the constantly evolving landscape of cybersecurity threats. Stay informed to mitigate risks and ensure the integrity of your WordPress website.