Malicious actors are exploiting a important vulnerability within the Hunk Better half plugin for WordPress to put in different inclined plugins that might open the door to a number of assaults.
The flaw, tracked as CVE-2024-11972 (CVSS ranking: 9.8), impacts all variations of the plugin prior to one.9.0. The plugin has over 10,000 energetic installations.
“This flaw poses a vital safety possibility, because it permits attackers to put in inclined or closed plugins, which is able to then be exploited for assaults similar to Far flung Code Execution (RCE), SQL Injection, Pass‑Web site Scripting (XSS), and even the introduction of administrative backdoors,” WPScan mentioned in a document.
To make issues worse, attackers may just leverage out of date or deserted plugins to bypass safety features, tamper with database information, execute malicious scripts, and grab keep watch over of the websites.
WPScan mentioned it exposed the protection defect when inspecting an an infection on an unspecified WordPress web page, discovering that risk actors had been weaponizing it to put in a now-closed plugin referred to as WP Question Console, and therefore leveraging an RCE trojan horse within the put in plugin to to execute malicious PHP code.
It is price noting that the zero-day RCE flaw within the WP Question Console, tracked as CVE-2024-50498 (CVSS ranking: 10.0), stays unpatched.
CVE-2024-11972 may be a patch bypass for CVE‑2024‑9707 (CVSS ranking: 9.8), a identical vulnerability in Hunk Better half that might permit the set up or activation of unauthorized plugins. This shortcoming was once addressed in model 1.8.5.
At its core, it stems from a trojan horse within the script “hunk‑significant other/import/app/app.php” that permits unauthenticated requests to avoid tests installed position for verifying if the present person has permission to put in plugins.
“What makes this assault in particular bad is its mixture of things — leveraging a prior to now patched vulnerability in Hunk Better half to put in a now‑got rid of plugin with a recognized Far flung Code Execution flaw,” WPScan’s Daniel Rodriguez famous.
“The chain of exploitation underscores the significance of securing each element of a WordPress web page, particularly 3rd‑birthday celebration issues and plugins, which is able to transform important issues of access for attackers.”
The improvement comes as Wordfence disclosed a high-severity flaw within the WPForms plugin (CVE-2024-11205, CVSS ranking: 8.5) that makes it conceivable for authenticated attackers, with Subscriber-level get entry to and above, to refund Stripe bills and cancel subscriptions.
The vulnerability, which impacts variations 1.8.4 as much as, and together with, 1.9.2.1, has been resolved in variations 1.9.2.2 or later. The plugin is put in on over 6 million WordPress websites.