Attackers are exploiting a critical vulnerability in the Companion plugin for WordPress to install other vulnerable plugins that can open the door to various attacks.
The flaw, tracked as CVE-2024-11972 (CVSS score: 9.8), affects all versions of the plugin prior to 1.9.0. The plugin has over 10,000 active installations.
“This flaw poses a significant security risk as it allows attackers to install vulnerable or closed plugins that can then be used for attacks such as remote code execution (RCE), SQL injection, cross-site scripting (XSS), or even the creation of administrative backdoors,” WPScan said in the report.
Worse, attackers can use outdated or deprecated plugins to bypass security measures, falsify database records, execute malicious scripts, and seize control of sites.
WPScan said it discovered a security flaw while analyzing an infection on an unspecified WordPress site, finding that threat actors used it to install a now-closed plugin called WP Requests Consoleand then exploit the RCE bug in the installed plugin to execute malicious PHP code.
Of note is the zero-day RCE flaw in the WP Query Console, which is tracked as CVE-2024-50498 (CVSS score: 10.0), remains unfixed.
CVE-2024-11972 is also a patch workaround for CVE-2024-9707 (CVSS Score: 9.8), a similar vulnerability in Hunk Companion that could allow the installation or activation of unauthorized plugins. This flaw was fixed in version 1.8.5.
Essentially, this stems from a bug in the “hunk‑companion/import/app/app.php” script that allows unauthenticated requests to bypass the checks set up to check if the current user has permission to install plugins.
“What makes this attack particularly dangerous is its combination of factors – using a previously patched vulnerability in Hunk Companion to install a now-removed plugin with a known remote code execution flaw,” noted WPScan’s Daniel Rodriguez.
“The exploit chain highlights the importance of securing every component of a WordPress site, especially third-party themes and plugins, which can be a critical entry point for attackers.”
The development comes as Wordfence opened lack of high seriousness in WPForms plugin (CVE-2024-11205, CVSS Score: 8.5) that allows authenticated attackers with subscriber-level access or higher to refund Stripe payments and cancel subscriptions.
The vulnerability affecting versions 1.8.4 through 1.9.2.1 inclusive has been fixed in versions 1.9.2.2 or later. The plugin is installed on over 6 million WordPress sites.