Vulnerability in WordPress Hunk Companion Plugin Exposed
/ 1 min read
🕵️♂️ Critical vulnerability in WordPress Hunk Companion plugin exposes sites to attacks. A severe flaw, tracked as CVE-2024-11972 with a CVSS score of 9.8, affects all versions of the Hunk Companion plugin prior to 1.9.0, which has over 10,000 active installations. This vulnerability allows malicious actors to install other vulnerable plugins, potentially leading to Remote Code Execution (RCE), SQL Injection, and Cross-Site Scripting (XSS) attacks. WPScan discovered that attackers exploited this flaw to install the now-closed WP Query Console plugin, which contains an unpatched RCE vulnerability (CVE-2024-50498). Additionally, a related vulnerability (CVE-2024-9707) was previously patched in version 1.8.5. The situation highlights the critical need for securing all components of WordPress sites, particularly third-party plugins.
