Hunk Companion Plugin Exploit Threatens Thousands of WordPress Sites
Originally Published 1 year ago — by The Hacker News
A critical vulnerability in the WordPress Hunk Companion plugin, tracked as CVE-2024-11972, is being exploited by attackers to install other vulnerable plugins, leading to potential Remote Code Execution (RCE) and other attacks. The flaw affects all versions before 1.9.0 and allows unauthorized plugin installations, posing significant security risks. This vulnerability is a patch bypass for a similar flaw, CVE-2024-9707, and highlights the importance of securing WordPress components. Additionally, a high-severity flaw in the WPForms plugin has been disclosed, affecting millions of sites.