1000’s of web sites operating WordPress stay unpatched in opposition to a essential safety flaw in a extensively used plugin that was being actively exploited in assaults that enable for unauthenticated execution of malicious code, safety researchers stated.
The vulnerability, tracked as CVE-2024-11972, is present in Hunk Companion, a plugin that runs on 10,000 websites that use the WordPress content material administration system. The vulnerability, which carries a severity score of 9.8 out of a potential 10, was patched earlier this week. On the time this submit went stay on Ars, figures supplied on the Hunk Companion web page indicated that lower than 12 p.c of customers had put in the patch, that means almost 9,000 websites might be subsequent to be focused.
Vital, multifaceted menace
“This vulnerability represents a major and multifaceted menace, concentrating on websites that use each a ThemeHunk theme and the Hunk Companion plugin,” Daniel Rodriguez, a researcher with WordPress safety agency WP Scan, wrote. “With over 10,000 lively installations, this uncovered 1000’s of internet sites to nameless, unauthenticated assaults able to severely compromising their integrity.”
Rodriquez stated WP Scan found the vulnerability whereas analyzing the compromise of a buyer’s website. The agency discovered that the preliminary vector was CVE-2024-11972. The exploit allowed the hackers behind the assault to trigger weak websites to robotically navigate to wordpress.org and obtain WP Question Console, a plugin that hasn’t been up to date in years.
1000’s of web sites operating WordPress stay unpatched in opposition to a essential safety flaw in a extensively used plugin that was being actively exploited in assaults that enable for unauthenticated execution of malicious code, safety researchers stated.
The vulnerability, tracked as CVE-2024-11972, is present in Hunk Companion, a plugin that runs on 10,000 websites that use the WordPress content material administration system. The vulnerability, which carries a severity score of 9.8 out of a potential 10, was patched earlier this week. On the time this submit went stay on Ars, figures supplied on the Hunk Companion web page indicated that lower than 12 p.c of customers had put in the patch, that means almost 9,000 websites might be subsequent to be focused.
Vital, multifaceted menace
“This vulnerability represents a major and multifaceted menace, concentrating on websites that use each a ThemeHunk theme and the Hunk Companion plugin,” Daniel Rodriguez, a researcher with WordPress safety agency WP Scan, wrote. “With over 10,000 lively installations, this uncovered 1000’s of internet sites to nameless, unauthenticated assaults able to severely compromising their integrity.”
Rodriquez stated WP Scan found the vulnerability whereas analyzing the compromise of a buyer’s website. The agency discovered that the preliminary vector was CVE-2024-11972. The exploit allowed the hackers behind the assault to trigger weak websites to robotically navigate to wordpress.org and obtain WP Question Console, a plugin that hasn’t been up to date in years.
