1000’s of web sites operating WordPress stay unpatched towards a crucial safety flaw in a broadly used plugin that was being actively exploited in assaults that enable for unauthenticated execution of malicious code, safety researchers stated.
The vulnerability, tracked as CVE-2024-11972, is present in Hunk Companion, a plugin that runs on 10,000 websites that use the WordPress content material administration system. The vulnerability, which carries a severity score of 9.8 out of a attainable 10, was patched earlier this week. On the time this publish went reside on Ars, figures supplied on the Hunk Companion web page indicated that lower than 12 p.c of customers had put in the patch, which means almost 9,000 websites may very well be subsequent to be focused.
Vital, multifaceted risk
“This vulnerability represents a major and multifaceted risk, focusing on websites that use each a ThemeHunk theme and the Hunk Companion plugin,” Daniel Rodriguez, a researcher with WordPress safety agency WP Scan, wrote. “With over 10,000 lively installations, this uncovered 1000’s of internet sites to nameless, unauthenticated assaults able to severely compromising their integrity.”
Rodriquez stated WP Scan found the vulnerability whereas analyzing the compromise of a buyer’s website. The agency discovered that the preliminary vector was CVE-2024-11972. The exploit allowed the hackers behind the assault to trigger susceptible websites to robotically navigate to wordpress.org and obtain WP Question Console, a plugin that hasn’t been up to date in years.
