top of page

Major Security Flaws Found in Popular WordPress Plugins: Urgent Action Required

Recent discoveries have unveiled critical security vulnerabilities in widely used WordPress plugins, posing significant risks to over 200,000 websites. These flaws allow unauthorized access and potential remote code execution, prompting urgent updates from developers to safeguard users.

Key Takeaways

  • Two critical vulnerabilities in CleanTalk’s anti-spam plugin affect over 200,000 installations.

  • A zero-day vulnerability in the Hunk Companion plugin is actively exploited, impacting 10,000 sites.

  • Users are urged to update their plugins immediately to prevent exploitation.

Overview of Vulnerabilities

The vulnerabilities identified in the CleanTalk anti-spam plugin, tracked as CVE-2024-10542 and CVE-2024-10781, have a CVSS score of 9.8, indicating a severe risk. These flaws allow attackers to execute arbitrary code remotely without authentication, enabling them to install and activate malicious plugins on compromised sites.

The first vulnerability, CVE-2024-10542, involves an authorization bypass that affects remote calls and plugin installations. Attackers can exploit this flaw to bypass security checks and perform unauthorized actions, such as installing or activating plugins.

The second vulnerability, CVE-2024-10781, allows attackers to authorize themselves using a token that matches an empty hash value if the API key is not configured. This flaw was patched in version 6.45, released on November 14, but as of late November, approximately half of the active installations remained unpatched.

Hunk Companion Plugin Vulnerability

In addition to the CleanTalk vulnerabilities, a critical flaw in the Hunk Companion plugin has been discovered, tracked as CVE-2024-11972. This zero-day vulnerability allows unauthorized POST requests to install arbitrary plugins, including outdated and vulnerable ones, on sites using the plugin.

  • Impact: The flaw affects all versions prior to 1.9.0 and has been exploited to install plugins like WP Query Console, which has not been updated in over seven years.

  • Consequences: Attackers can execute malicious PHP code, creating backdoor access to the site.

Despite the release of a patch, only a small percentage of users have updated, leaving thousands of sites vulnerable to attacks.

Recommendations for Users

To mitigate the risks associated with these vulnerabilities, users are strongly advised to:

  1. Update Plugins: Ensure that all WordPress plugins are updated to the latest versions, specifically CleanTalk’s anti-spam plugin (version 6.45) and Hunk Companion (version 1.9.0).

  2. Monitor for Unusual Activity: Regularly check for any unauthorized changes or suspicious activity on your WordPress site.

  3. Implement Security Measures: Consider using security plugins that offer additional protection against vulnerabilities and attacks.

Conclusion

The recent vulnerabilities in popular WordPress plugins highlight the importance of maintaining up-to-date software to protect against potential threats. Users must act swiftly to update their plugins and secure their websites from exploitation. Failure to do so could result in severe consequences, including unauthorized access and data breaches.

Sources

  • Critical Vulnerabilities Found in Anti-Spam Plugin Used by 200,000 WordPress Sites - SecurityWeek, SecurityWeek.

  • wordpress credentials stolen in yearlong supply-chain attack, www.dmnews.com.

  • Critical flaw in WordPress plugin exploited to install malicious software | SC Media, SC Media.

  • Critical WordPress plugin vulnerability under active exploit threatens thousands - Ars Technica, Ars Technica.

  • Critical WordPress Anti-Spam Plugin Flaws Expose 200,000+ Sites to Remote Attacks, The Hacker News.

  • WordPress Hunk Companion Plugin Flaw Exploited to Silently Install Vulnerable Plugins, The Hacker News.

Comments


The Only WordPress Hosting

That Grows Your Traffic.

Get included SEO package with your WordPress hosting plan.

Latest Posts

The Only WordPress Hosting

That Grows Your Traffic.

Get included SEO package with your WordPress hosting plan.

The Only WordPress Hosting

That Grows Your Traffic.

Get included SEO package with your WordPress hosting plan.

WPWorld

The only managed WordPress solution that takes care of your site's SEO and provides unlimited scaling resources. 

Get a hosting plan tailored to your specific needs

bottom of page