# Severe WordPress Vulnerability Endangers Countless Websites
A severe security flaw with a severity score of 9.8 out of 10 continues to present a considerable risk to countless WordPress websites. Although a patch is available, over 8,000 sites still have not addressed the issue, rendering them susceptible to unauthorized exploitation. The vulnerability, designated as **CVE-2024-11972**, is associated with the popular **Hunk Companion plugin**, which works with ThemeHunk themes on WordPress.
## The Extent of the Threat
The Hunk Companion plugin is active on more than 10,000 WordPress websites, making this vulnerability a prevalent issue. Data from the plugin’s WordPress.org page reveals that merely 11.9% of users have implemented the patch released earlier this week. This indicates that nearly 88% of sites utilizing the plugin are still at risk of attacks.
This vulnerability enables unauthenticated attackers to run malicious code on impacted websites. This could result in serious outcomes, such as data breaches, website defacement, and the installation of further malicious applications. Security experts have reported active exploitation of this weakness, highlighting the critical need for patch application.
## Mechanism of the Exploit
The vulnerability was initially discovered by WP Scan researchers, a WordPress security company, while investigating a compromised customer site. They found that attackers were exploiting **CVE-2024-11972** to compel the site to download and activate another vulnerable plugin, **WP Query Console**.
The WP Query Console plugin, which has not received updates for years, harbors its own critical vulnerability, labeled as **CVE-2024-50498**, with a maximum severity rating of 10. This secondary weakness permits attackers to execute arbitrary code, further jeopardizing the compromised sites. Despite the temporary removal of the WP Query Console plugin from WordPress.org for evaluation, attackers managed to circumvent this barrier by utilizing a specific WordPress.org URL to fetch the plugin.
## Fundamental Cause and Mitigation
The core issue of the Hunk Companion vulnerability is attributed to a flaw that allows unauthenticated requests to evade security checks. This permits attackers to install and activate arbitrary plugins, creating opportunities for more significant exploitation. The developers of Hunk Companion rectified this problem in version 1.9.0, launched two days ago. Nevertheless, the low uptake of the patch underscores the persistent threat.
This is not the first occurrence of vulnerabilities in Hunk Companion. A related flaw, noted as **CVE-2024-9707**, was addressed in version 1.8.5. Similar to the current issue, it also had a severity rating of 9.8, emphasizing the plugin’s track record of serious security vulnerabilities.
## The Larger Context: WordPress Security Obstacles
The challenges presented by Hunk Companion and WP Query Console underline broader issues within the WordPress ecosystem. With more than 40% of the web relying on WordPress, vulnerabilities in plugins and themes can lead to widespread repercussions. Significant issues include:
1. **Delayed Patch Adoption**: Numerous WordPress site administrators neglect to promptly update plugins and themes, leaving their sites vulnerable to existing flaws.
2. **Outdated Plugins**: Plugins such as WP Query Console, which have seen no maintenance for years, continue to serve as a weak point in the ecosystem. Their availability on WordPress.org, even if momentary, can be manipulated by malicious actors.
3. **Circumvention Mechanisms**: The ability to override restrictions on downloading blocked plugins raises concerns regarding WordPress.org’s security protocols.
## Suggestions for Website Administrators
To mitigate the dangers presented by these vulnerabilities, WordPress site administrators should carry out the following measures:
1. **Upgrade Plugins and Themes**: Ensure that all plugins and themes, including Hunk Companion, are upgraded to their latest versions. For Hunk Companion, this entails updating to version 1.9.0 or newer.
2. **Eliminate Obsolete Plugins**: Remove outdated plugins like WP Query Console that are no longer supported or maintained.
3. **Stay Updated on Security Advisories**: Subscribe to security alerts from reputable sources like WP Scan to stay informed about vulnerabilities affecting WordPress plugins and themes.
4. **Utilize Web Application Firewalls (WAFs)**: Implement a WAF to obstruct malicious traffic and prevent the exploitation of vulnerabilities.
5. **Conduct Regular Backups**: Keep consistent backups of your website to ensure swift recovery in the event of a security incident.
## The Role of WordPress.org in Security
This incident also raises concerns about WordPress.org’s responsibility in protecting its ecosystem. The presence of an override mechanism that enabled attackers to download a blocked plugin is troubling. Representatives from WordPress.org have not yet provided clarification on whether this mechanism has been deactivated or if it continues to pose a risk.
Moving ahead, WordPress.org needs to enhance its procedures for evaluating and eliminating vulnerable plugins. It should also bolster communication with site administrators to promote timely updates and provide clearer directions on security best practices.
