Thousands of websites operating WordPress stay unpatched in opposition to a essential safety flaw in a extensively used plugin that was being actively exploited in assaults that enable for unauthenticated execution of malicious code, safety researchers stated.
The vulnerability, tracked as CVE-2024-11972, is present in Hunk Companion, a plugin that runs on 10,000 websites that use the WordPress content material administration system. The vulnerability, which carries a severity ranking of 9.8 out of a potential 10, was patched earlier this week. At the time this publish went dwell on Ars, figures supplied on the Hunk Companion web page indicated that lower than 12 % of customers had put in the patch, that means almost 9,000 websites might be subsequent to be focused.
Significant, multifaceted risk
“This vulnerability represents a major and multifaceted risk, focusing on websites that use each a ThemeHunk theme and the Hunk Companion plugin,” Daniel Rodriguez, a researcher with WordPress safety agency WP Scan, wrote. “With over 10,000 lively installations, this uncovered 1000’s of internet sites to nameless, unauthenticated assaults able to severely compromising their integrity.”
Rodriquez stated WP Scan found the vulnerability whereas analyzing the compromise of a buyer’s website. The agency discovered that the preliminary vector was CVE-2024-11972. The exploit allowed the hackers behind the assault to trigger weak websites to mechanically navigate to wordpress.org and obtain WP Query Console, a plugin that hasn’t been up to date in years.
