1000’s of websites operating WordPress stay unpatched in opposition to a essential safety flaw in a extensively used plugin that was being actively exploited in assaults that permit for unauthenticated execution of malicious code, safety researchers stated.
The vulnerability, tracked as CVE-2024-11972, is present in Hunk Companion, a plugin that runs on 10,000 websites that use the WordPress content material administration system. The vulnerability, which carries a severity ranking of 9.8 out of a potential 10, was patched earlier this week. On the time this publish went stay on Ars, figures offered on the Hunk Companion web page indicated that lower than 12 % of customers had put in the patch, that means practically 9,000 websites could possibly be subsequent to be focused.
Important, multifaceted risk
“This vulnerability represents a big and multifaceted risk, concentrating on websites that use each a ThemeHunk theme and the Hunk Companion plugin,” Daniel Rodriguez, a researcher with WordPress safety agency WP Scan, wrote. “With over 10,000 energetic installations, this uncovered hundreds of internet sites to nameless, unauthenticated assaults able to severely compromising their integrity.”
Rodriquez stated WP Scan found the vulnerability whereas analyzing the compromise of a buyer’s website. The agency discovered that the preliminary vector was CVE-2024-11972. The exploit allowed the hackers behind the assault to trigger susceptible websites to routinely navigate to wordpress.org and obtain WP Query Console, a plugin that hasn’t been up to date in years.
