Critical WordPress plugin vulnerability under active exploit threatens thousands

You May Be Interested In:The 8 most interesting PC monitors from CES 2025



Thousands of sites running WordPress remain unpatched against a critical security flaw in a widely used plugin that was being actively exploited in attacks that allow for unauthenticated execution of malicious code, security researchers said.

The vulnerability, tracked as CVE-2024-11972, is found in Hunk Companion, a plugin that runs on 10,000 sites that use the WordPress content management system. The vulnerability, which carries a severity rating of 9.8 out of a possible 10, was patched earlier this week. At the time this post went live on Ars, figures provided on the Hunk Companion page indicated that less than 12 percent of users had installed the patch, meaning nearly 9,000 sites could be next to be targeted.

Significant, multifaceted threat

“This vulnerability represents a significant and multifaceted threat, targeting sites that use both a ThemeHunk theme and the Hunk Companion plugin,” Daniel Rodriguez, a researcher with WordPress security firm WP Scan, wrote. “With over 10,000 active installations, this exposed thousands of websites to anonymous, unauthenticated attacks capable of severely compromising their integrity.”

Rodriquez said WP Scan discovered the vulnerability while analyzing the compromise of a customer’s site. The firm found that the initial vector was CVE-2024-11972. The exploit allowed the hackers behind the attack to cause vulnerable sites to automatically navigate to wordpress.org and download WP Query Console, a plugin that hasn’t been updated in years.

share Paylaş facebook pinterest whatsapp x print

Similar Content

Dell XPS 13 Plus in platinum
Dell will no longer make XPS computers
An abstract illustration of a person being addled by artificial intelligence.
2024: The year AI drove everyone crazy
Maze of adapters, software patches gets a dedicated GPU working on a Raspberry Pi
Maze of adapters, software patches gets a dedicated GPU working on a Raspberry Pi
American infantry fighting vehicle and FPV kamikaze drones
Soon, the tech behind ChatGPT may help drone operators decide which enemies to kill
An iPhone screen displaying icons for file sharing apps Google Drive, OneDrive, Dropbox, pCloud, Box, and Sync.
Dropbox lays off 20% of staff, says it overinvested and underperformed
Ars’ next conference is coming October 29 in Washington, D.C.
Ars’ next conference is coming October 29 in Washington, D.C.
The News Spectrum | © 2024 | News