Unauthorized Plugin Installation/Activation in Hunk Companion Plugin Actively Exploited

ISGroup Cybersecurity

A critical vulnerability in the Hunk Companion plugin (< 1.9.0) allows unauthenticated attackers to perform POST requests that install and activate plugins directly from the WordPress.org repository. This flaw enables the installation of vulnerable or removed plugins, which can subsequently be exploited for severe attacks such as Remote Code Execution (RCE), SQL Injection, Cross-Site Scripting (XSS), or the creation of backdoors.

The vulnerability has been actively exploited in real-world environments. Threat actors have used this flaw in combination with vulnerabilities present in installed plugins, such as WP Query Console, to compromise WordPress sites. The attack chain involves the installation of WP Query Console followed by the exploitation of its RCE vulnerability to execute arbitrary PHP code, facilitating further exploits and persistence.

Producthunk-companion
Date2024-12-16 13:59:35
Information
  • Trending
  • Fix Available
  • Active Exploitation

Technical Summary

CVE-ID: CVE-2024-11972

Affected Plugin: Hunk Companion (< 1.9.0)

Severity (CVSS v3.1): 9.8 (Critical)

The vulnerability resides in the themehunk-import endpoint defined in the Hunk Companion plugin. Due to an improper implementation of the permission_callback function in the REST API handler, unauthenticated requests bypass authorization checks. The tp_install function within the plugin is then invoked, which facilitates the download and activation of plugins, including those marked as closed or vulnerable on WordPress.org.

The exploitation observed in real-world environments follows this sequence:

  1. Installation and activation of WP Query Console: Attackers exploit the Hunk Companion vulnerability to install and activate WP Query Console, a plugin with an unpatched RCE vulnerability.
  2. Remote Code Execution: Using WP Query Console, attackers execute arbitrary PHP code to deploy malicious droplets in the site’s root directory, allowing continuous access via unauthenticated GET requests.

This attack chain exposes over 10,000 websites using the Hunk Companion plugin to significant risks, including site compromise, data theft, and potential malware distribution.

Recommendations

Update immediately: Update to version 1.9.0 or later of Hunk Companion, which addresses the vulnerability by fixing the permission_callback implementation.

[Callforaction-THREAT-Footer]