Hunk Companion Zero-Day Flaw Lets Hackers Install Malicious Plugins: Update Now!

2024-12-12

WordPress website owners, especially those using ThemeHunk themes, be warned! A critical vulnerability in the Hunk Companion plugin has been actively exploited by attackers to install malicious plugins on vulnerable websites. This can lead to a variety of security breaches, including complete website takeover. Let’s dive into the details and learn how to protect yourself.

Hunk Companion Flaw Exposed: Hackers Install Vulnerable Plugins

The Hunk Companion plugin, designed to enhance ThemeHunk themes, contained a zero-day vulnerability (CVE-2024-11972) that allowed attackers to install arbitrary plugins without any authentication. This essentially gave them free rein to inject malicious plugins onto your website.

Exploiting Outdated Plugins for Maximum Damage

Hackers leveraged this vulnerability to install a vulnerable version of the “WP Query Console” plugin, which itself had a known RCE (Remote Code Execution) flaw (CVE-2024-50498). By exploiting this chained vulnerability, attackers could execute malicious code on your website, potentially leading to data theft, website defacement, or even deployment of persistent backdoor access.

Patch Available, But Many Websites Remain Vulnerable

The good news is that Hunk Companion released a security update (version 1.9.0) that addresses this zero-day flaw. However, at the time of writing, only around 1,800 websites have updated, leaving an estimated 8,000 websites still vulnerable.

What Undercode Says:

This incident highlights the importance of keeping your WordPress plugins and themes updated. Hackers are constantly scanning for vulnerabilities, and outdated software is a prime target. Here are some additional points to consider:

Regularly update all WordPress components. Aim for automatic updates whenever possible to ensure you have the latest security patches.
Don’t use niche or outdated plugins. While Hunk Companion might be convenient for ThemeHunk users, its relatively low user base makes it a less attractive option compared to widely used and actively maintained plugins.
Use a reputable security scanner. Tools like WPScan can help identify vulnerabilities in your WordPress installation, including outdated plugins and themes.
Maintain strong passwords. This might seem obvious, but strong and unique passwords for your WordPress admin accounts are essential to prevent unauthorized access.

By following these practices, you can significantly reduce the risk of falling victim to similar attacks in the future. Remember, security is an ongoing process, so stay vigilant and keep your WordPress site up-to-date.