1. Forum
  2. tqwNet
  3. TQW GENTECH

  • Another major WordPress plugin has been hacked to try and hijack

    From TechnologyDaily@1337:1/100 to All on Thursday, December 12, 2024 17:15:05
    Another major WordPress plugin has been hacked to try and hijack your sites

    Date:
    Thu, 12 Dec 2024 17:02:00 +0000

    Description:
    Roughly 8,800 WordPress sites are still at risk.

    FULL STORY ======================================================================Research ers from WPScan find flaw in Hunk Companion, a plugin with roughly 10,000 users The flaw allows crooks to install other plugins from the WP repository, including those with known RCE flaws WPScan found the flaw while
    investigating an active attack

    Hackers have reportedly found a way to install old, outdated, and vulnerable plugins on WordPress websites, directly from the WordPress plugin repository. That way, they are able to introduce vulnerabilities to target sites made
    with the website builder , which grant them remote code execution (RCE) abilities, SQL injection, cross-site scripting (XSS), admin account creation, and more.

    The bug that allows crooks to do that was found in Hunk Companion, a utility plugin designed to enhance the functionality of WordPress themes developed by ThemeHunk.

    It typically provides features like additional widgets, customization
    options, and demo content import functionality. It often serves as a
    companion to ThemeHunk's themes, unlocking advanced design and usability features not available by default. Critical vulnerability

    Researchers from WPScan found the flaw and reported it to the plugins developers, who came back with a fix within days.

    While investigating a reported cyberattack, WPScan found that a threat actor abused the bug to install a vulnerable version of WP Query Console, a plugin that hasnt been patched in seven years. This plugin is known for being
    flawed, allowing crooks to run malicious PHP code on target sites via a
    remote code execution bug tracked as CVE-2024-50498.

    Hunk Companion is currently used by more than 10,000 websites, which isnt exactly an impressive figure in the world of WordPress sites, but still not negligible.

    The bug used to install flawed plugins is tracked as CVE-2024-11972, and has
    a severity score of 9.1 (critical). The earliest version that addressed it is 1.9.0, and users are advised to install it as soon as possible. BleepingComputer has also noticed that a similar bug was patched in Hunk Companion 1.8.5, tracked as CVE-2024-9707. It seems the patch didnt work as intended as there are obvious workarounds.

    At press time, 11.6% of users upgraded to v1.9, meaning roughly 8,800 sites are still vulnerable.

    Via BleepingComputer You might also like Researchers develop new tool for spotting Android malware Here's a list of the best antivirus options around These are the best endpoint protection tools right now



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/another-major-wordpress-plugin-has-been -hacked-to-try-and-hijack-your-sites


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)