A significant security threat looms over thousands of WordPress sites as researchers reveal that more than 8,000 remain unpatched against a critical vulnerability in a popular plugin. The flaw, identified as CVE-2024-11972, is embedded in the Hunk Companion plugin, which is utilized on approximately 10,000 sites within the robust WordPress ecosystem. Alarmingly, although a patch was issued just earlier this week, data indicated that fewer than 12 percent of users have taken the necessary steps to secure their sites, leaving nearly 9,000 websites potentially vulnerable to attack.
The vulnerability is rated at an alarming 9.8 out of 10 on the severity scale. Security experts at WP Scan, a firm specializing in WordPress security, have raised concerns over this flaw’s capacity to enable unauthorized execution of malicious code. Daniel Rodriguez, a researcher at the firm, stressed the gravity of the situation, stating that the flaw exposes a multitude of sites using both ThemeHunk themes and the Hunk Companion plugin to serious threats. “This vulnerability represents a significant and multifaceted threat,” he emphasized in a recent analysis.
Rodriguez’s team uncovered the vulnerability while investigating a customer’s site compromise, discovering that the attackers had leveraged CVE-2024-11972 as their initial vector. This exploit allowed hackers to infiltrate affected sites, making them redirect to wordpress.org and download a plugin known as WP Query Console, which has not received updates for several years. Subsequently, the attackers exploited vulnerabilities in WP Query Console—tracked as CVE-2024-50498—to execute malicious actions. This vulnerability carries a severity score of 10, demonstrating an equally pressing risk.
Notably, the WP Query Console plugin faced a temporary unavailability status as of October while undergoing a review process. However, via a specially crafted URL on wordpress.org, attackers circumvention has allowed them to exercise control over the installation of the outdated plugin, thus facilitating their exploit. The core issue lies within the Hunk Companion’s code, where a flaw permits unauthorized requests to bypass intended security checks—enabling the unintended installation and activation of arbitrary plugins on compromised sites.
In response to the threat, Hunk Companion developers rolled out version 1.9.0, which rectifies the vulnerabilities present in earlier editions. Notably, an earlier patch targeting a similar flaw (CVE-2024-9707) was introduced in version 1.8.5—both carrying a severe rating of 9.8. Despite these updates, the statistics remain grim; as mentioned, fewer than 12 percent of existing users had upgraded to the patch as of the latest report. It remains to be clarified whether the means of downloading unapproved plugins persist, thereby compromising unpatched sites if accessible.
Amidst these developments, queries directed toward representatives at WordPress.org regarding the continued availability of the exploitative URL have gone unanswered, leaving many website owners and administrators in an uncertain position. As threats grow ever more complex, the critical need for prompt updates in the WordPress community has never been more apparent.
The situation underscores an ongoing narrative within cybersecurity: outdated plugins and neglected updates can serve as gateways for severe vulnerabilities that compromise not just individual sites but broader community trust in platforms like WordPress. Administrators are urged to act swiftly, safeguard their sites, and remain vigilant against emerging threats. Security remains paramount, and with over 25 years of expertise, this incident serves as a reminder of the importance of adhering to cybersecurity best practices in today’s digital landscape.