Full Report
Malicious actors are exploiting a critical vulnerability in the Hunk Companion plugin for WordPress to install other vulnerable plugins that could open the door to a variety of attacks. The flaw, tracked as CVE-2024-11972 (CVSS score: 9.8), affects all versions of the plugin prior to 1.9.0. The plugin has over 10,000 active installations. "This flaw poses a significant security risk, as it
Analysis Summary
# Vulnerability: Unauthenticated Arbitrary Plugin Installation in WordPress Hunk Companion
## CVE Details
- CVE ID: CVE-2024-11972
- CVSS Score: 9.8 (Critical)
- CWE: Missing Authorization (CWE-285) (Inferred from description of bypassing permission checks)
## Affected Systems
- Products: WordPress Hunk Companion plugin
- Versions: All versions prior to **1.9.0**
- Configurations: Any WordPress site utilizing the vulnerable plugin version.
## Vulnerability Description
CVE-2024-11972 is a critical flaw in the Hunk Companion plugin that permits an unauthenticated attacker to bypass authorization checks related to installing plugins. The bug resides in the script `hunk-companion/import/app/app.php`. This allows an attacker to remotely install unauthorized plugins onto the target WordPress installation, similar to CVE-2024-9707, which this new vulnerability appears to bypass the fix for.
## Exploitation
- Status: **Exploited in the wild** (Attackers were observed weaponizing this flaw).
- Complexity: Low (Due to unauthenticated nature).
- Attack Vector: Network
**Note on observed exploitation chain:** Attackers have been observed using CVE-2024-11972 to silently install other vulnerable plugins, specifically citing the installation of the now-closed WP Query Console plugin, which contained a zero-day RCE flaw (CVE-2024-50498) leading to arbitrary PHP code execution.
## Impact
- Confidentiality: High (Via secondary RCE/backdoors planted by the installed plugin)
- Integrity: High (Via secondary RCE/backdoors planted by the installed plugin)
- Availability: High (Via secondary RCE/backdoors planted by the installed plugin)
## Remediation
### Patches
- **WordPress Hunk Companion Plugin:** Update to version **1.9.0** or later.
### Workarounds
1. **Immediate Action:** Deactivate and delete the Hunk Companion plugin immediately if updating is not possible.
2. **Monitoring:** Enhance monitoring for unauthorized plugin installations or creation of administrative backdoors on the WordPress site.
## Detection
- **Indicators of Compromise (IoCs):**
- Spikes in network traffic related to plugin installation endpoints within the WordPress installation that are not initiated by legitimate administrative users.
- Presence of newly installed, unauthorized, or previously unlisted plugins (e.g., WP Query Console).
- Execution of unexpected PHP code, potentially leveraging companion vulnerabilities like CVE-2024-50498 if an attacker successfully chained exploits.
- **Detection Methods and Tools:**
- File integrity monitoring (FIM) solutions scanning the `/wp-content/plugins/` directory for unauthorized additions.
- Web Application Firewalls (WAFs) or intrusion detection systems should look for anomalous POST requests targeting functionality within the Hunk Companion plugin directory that lack required authentication tokens or user sessions.
## References
- Vendor specific advisory (WPScan report referenced): hxxps://wpscan.com/blog/unauthorized-plugin-installation-activation-in-hunk-companion/
- Related CVE for RCE in chained plugin: hxxps://www.cve.org/CVERecord?id=CVE-2024-50498
- Related CVE for similar flaw in Hunk Companion: hxxps://www.cve.org/CVERecord?id=CVE-2024-9707