A critical vulnerability in the Hunk Companion WordPress plugin has left over 10,000 websites susceptible to cyberattacks.
This flaw allows malicious actors to install and activate vulnerable plugins, posing significant security risks to affected sites.
Exploitation of the Vulnerability
The vulnerability, identified as CVE-2024-11972, was discovered by WPScan researcher Daniel Rodriguez.
It enables attackers to exploit the Hunk Companion plugin by sending unauthenticated POST requests, allowing them to install additional plugins with known vulnerabilities directly from the WordPress.org repository.
These plugins can then be leveraged for remote code execution (RCE), SQL injection, cross-site scripting (XSS), or creating backdoor admin accounts.

The exploitation of this vulnerability was first detected during an investigation into a WordPress site infection.
Hackers were found using this flaw to install outdated plugins like WP Query Console, which had not been updated for over seven years.
This allowed them to execute malicious PHP code on targeted sites, exploiting a zero-day RCE flaw identified as CVE-2024-50498.
Impact and Response
Hunk Companion is designed to enhance the functionality of themes developed by ThemeHunk and is used by more than 10,000 WordPress sites.
The vulnerability affects all versions of the plugin before version 1.9.0, which was released recently to address this issue.
Despite the release of a security update, approximately 8,000 sites remain vulnerable as only about 1,800 users have downloaded the latest patched version.
The severity of this vulnerability is underscored by its critical CVSS score of 9.8, highlighting the potential for significant damage if exploited.
Users are strongly advised to update their plugins immediately to mitigate these risks.
Ongoing Security Concerns
This incident is not the first time Hunk Companion has faced security challenges.
A similar flaw was patched in version 1.8.5 under CVE-2024-9707; however, it appears that previous patches were insufficient to fully secure the plugin against unauthorized installations and activations.
Security experts emphasize the importance of keeping plugins updated and monitoring for any unusual activity on websites.
Additionally, website administrators are encouraged to use security tools like Wordfence to receive timely notifications about vulnerabilities that could affect their sites.
As cyber threats continue to evolve, maintaining robust security practices remains crucial for protecting digital assets from exploitation and ensuring the integrity of online platforms.
Also Read: