Hunk Companion WordPress plugin exploited to install vulnerable plugins

Hackers are exploiting a critical vulnerability in the "Hunk Companion" plugin to install and activate other plugins with exploitable flaws directly from the WordPress.org repository.

By installing outdated plugins with known vulnerabilities with available exploits, the attackers can access a large pool of flaws that lead to remote code execution (RCE), SQL injection, cross-site scripting (XSS) flaws, or create backdoor admin accounts.

The activity was discovered by WPScan, who reported it to Hunk Companion, with a security update addressing the zero-day flaw released yesterday.

Installing vulnerable plugins

Hunk Companion is a WordPress plugin designed to complement and enhance the functionality of themes developed by ThemeHunk, a provider of customizable WordPress themes, so it's more of an add-on rather than a standalone plugin.

According to WordPress.org stats, Hunk Companion is currently used by over 10,000 WordPress sites, so it's a relatively niche tool in the space.

The critical vulnerability was discovered by WPScan researcher Daniel Rodriguez and is tracked as CVE-2024-11972. The flaw allows the arbitrary installation of plugins by means of unauthenticated POST requests.

The issue impacts all versions of Hunk Companion before the latest 1.9.0, released yesterday, which addressed the problem.

While investigating a WordPress site infection, WPScan discovered active exploitation of CVE-2024-11972 to install a vulnerable version of WP Query Console.

This is an obscure plugin last updated over 7 years ago, which the hackers exploited to execute malicious PHP code on the targeted sites, leveraging the zero-day RCE flaw CVE-2024-50498.

"In the infections we've analyzed, attackers use the RCE to write a PHP dropper to the site's root directory," explains WPScan.

"This dropper allows continued unauthenticated uploads via GET requests, enabling persistent backdoor access to the site."

It's worth noting that Hunk Companion fixed a similar flaw in version 1.8.5, which was tracked under CVE-2024-9707, but apparently, the patch wasn't adequate, and ways to bypass it exist.

Given the flaw's severity and its active exploitation status, users of Hunk Companion are recommended to update to 1.9.0 as soon as possible.

At the time of writing, the latest version has been downloaded roughly 1,800 times, so at least eight thousand websites remain vulnerable to exploitation.