One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8627219 |
| Date de publication | 2024-12-18 19:51:27 (vue: 2024-12-18 20:08:34) |
| Titre | Unauthorized Plugin Installation/Activation in Hunk Companion |
| Texte | ## Snapshot
Researchers at WPScan have disclosed a critical vulnerability, CVE-2024-11972, in the Hunk Companion plugin that allows unauthenticated attackers to install and activate plugins directly from the WordPress.org repository via POST requests.
## Description
This flaw poses significant risks, enabling the installation of vulnerable or removed plugins, which attackers can exploit for Remote Code Execution (RCE), SQL Injection, Cross-Site Scripting (XSS), and other attacks. These exploits can lead to compromised administrative access, database manipulation, and persistent backdoor creation.
The investigation revealed that attackers exploit this vulnerability through a two-step process: first, they install and activate the WP Query Console plugin, which has its own RCE vulnerability ([CVE-2024-50498](https://security.microsoft.com/intel-explorer/cves/CVE-2024-50498/)). Then, they leverage this RCE to execute malicious PHP code, such as deploying a PHP dropper for ongoing unauthorized uploads and access. The vulnerability in Hunk Companion persisted until version 1.9.0, despite earlier claims that it was patched in versions 1.8.5+.
Code analysis traced the flaw to improper implementation of the permission\_callback function, which failed to correctly restrict unauthorized access. Instead of returning a boolean or a WP\_Error object, it always evaluated as true, allowing unauthenticated requests to bypass security checks. Attackers exploited this flaw to invoke plugin installation and activation functions, even for plugins that were outdated, unmaintained, or removed.
This vulnerability highlights the risks associated with using third-party WordPress plugins and themes, particularly those that are unmaintained or improperly secured. With over 10,000 active installations of the Hunk Companion plugin, thousands of websites were exposed to potential exploitation. WPScan emphasized the importance of keeping plugins and themes updated, auditing for vulnerabilities, and disabling unnecessary extensions to mitigate risks in WordPress environments.
## Recommendations
WPScan recommends users upgrade to version 1.9.0+ to mititgate this threat.
The Hunk Companion plugin author patched the vulnerability by ensuring the permission\_callback function denies unauthorized requests correctly. The fix involved changing erroneous return statements to WP\_Error objects, effectively closing the exploit path.
## References
[Unauthorized Plugin Installation/Activation in Hunk Companion.](https://wpscan.com/blog/unauthorized-plugin-installation-activation-in-hunk-companion/) WPScan (accessed 2024-12-18).
## Copyright
**© Microsoft 2024**. All rights reserved. Reproduction or distribution of the content of this site, or any part thereof, without written permission of Microsoft is prohibited.
## Snapshot Researchers at WPScan have disclosed a critical vulnerability, CVE-2024-11972, in the Hunk Companion plugin that allows unauthenticated attackers to install and activate plugins directly from the WordPress.org repository via POST requests. ## Description This flaw poses significant risks, enabling the installation of vulnerable or removed plugins, which attackers can exploit for Remote Code Execution (RCE), SQL Injection, Cross-Site Scripting (XSS), and other attacks. These exploits can lead to compromised administrative access, database manipulation, and persistent backdoor creation. The investigation revealed that attackers exploit this vulnerability through a two-step process: first, they install and activate the WP Query Console plugin, which has its own RCE vulnerability ([CVE-2024-50498](https://security.microsoft.com/intel-explorer/cves/CVE-2024-50498/)). Then, they leverage this RCE to execute malicious PHP code, such as deploying a PHP dropper for ongoing unauthorized uploads and access. The vulnerability in Hunk Companion persisted until version 1.9.0, despite earlier claims that it was patched in versions 1.8 |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | **© 000 11972 2024 2024** 50498 50498/ access accessed activate activation active administrative all allowing allows always analysis any are associated attackers attacks auditing author backdoor boolean bypass callback can changing checks claims closing code com/blog/unauthorized com/intel companion companion/ compromised console content copyright correctly creation critical cross cve database denies deploying description despite directly disabling disclosed distribution dropper earlier effectively emphasized enabling ensuring environments erroneous error evaluated even execute execution exploit exploitation exploited exploits explorer/cves/cve exposed extensions failed first fix flaw from function functions has have highlights https://security https://wpscan hunk implementation importance improper improperly injection install installation installation/activation installations instead investigation invoke involved its keeping lead leverage malicious manipulation microsoft mitigate mititgate object objects ongoing org other outdated over own part particularly party patched path permission persisted persistent php plugin plugins poses post potential process: prohibited query rce recommendations recommends references remote removed repository reproduction requests researchers reserved restrict return returning revealed rights risks scripting secured security significant site snapshot sql statements step such themes then thereof these third those thousands threat through traced true two unauthenticated unauthorized unmaintained unnecessary until updated upgrade uploads users using version versions vulnerabilities vulnerability vulnerable websites which without wordpress wpscan written xss |
| Tags | Vulnerability Threat |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.