Thousands of WordPress Sites Remain Unpatched Against Critical Security Flaw
Significant, Multifaceted Threat
Thousands of sites running WordPress remain unpatched against a critical security flaw in a widely used plugin that was being actively exploited in attacks that allow for unauthenticated execution of malicious code, security researchers said.
The Vulnerability
The vulnerability, tracked as CVE-2024-11972, is found in Hunk Companion, a plugin that runs on 10,000 sites that use the WordPress content management system. The vulnerability, which carries a severity rating of 9.8 out of a possible 10, was patched earlier this week. At the time this post went live on Ars, figures provided on the Hunk Companion page indicated that less than 12 percent of users had installed the patch, meaning nearly 9,000 sites could be next to be targeted.
A Serious Concern for Site Integrity
"This vulnerability represents a significant and multifaceted threat, targeting sites that use both a ThemeHunk theme and the Hunk Companion plugin," Daniel Rodriguez, a researcher with WordPress security firm WP Scan, wrote. "With over 10,000 active installations, this exposed thousands of websites to anonymous, unauthenticated attacks capable of severely compromising their integrity."
The Exploit
WP Scan discovered the vulnerability while analyzing the compromise of a customer’s site. The firm found that the initial vector was CVE-2024-11972. The exploit allowed the hackers behind the attack to cause vulnerable sites to automatically navigate to wordpress.org and download WP Query Console, a plugin that hasn’t been updated in years.
Conclusion
The discovery of this vulnerability highlights the importance of timely patching and regular security audits for WordPress websites. With the sheer number of unpatched sites, it is crucial that site administrators take immediate action to prevent potential attacks and compromise.
Frequently Asked Questions
Q: What is the vulnerability?
A: The vulnerability is a critical security flaw in the Hunk Companion plugin, tracked as CVE-2024-11972, which allows for unauthenticated execution of malicious code.
Q: How many sites are affected?
A: The vulnerability affects over 10,000 sites that use the Hunk Companion plugin.
Q: Is the patch available?
A: Yes, the patch was released earlier this week, and site administrators are urged to install it as soon as possible.
Q: What should I do if I’m affected?
A: Install the patch immediately, and consider conducting a security audit to identify any potential vulnerabilities.
