Countless websites running WordPress stay unpatched versus a crucial security defect in a commonly utilized plugin that was being actively made use of in attacks that permit unauthenticated execution of harmful code, security scientists stated.

The vulnerability, tracked as CVE-2024-11972, is discovered in Hunk Companion, a plugin that works on 10,000 websites that utilize the WordPress material management system. The vulnerability, which brings a seriousness ranking of 9.8 out of a possible 10, was covered previously today. At the time this post went live on Ars, figures offered on the Hunk Companion page showed that less than 12 percent of users had actually set up the spot, implying almost 9,000 websites might be beside be targeted.

Considerable, complex hazard

“This vulnerability represents a considerable and diverse danger, targeting websites that utilize both a ThemeHunk style and the Hunk Companion plugin,” Daniel Rodriguez, a scientist with WordPress security company WP Scan, composed. “With over 10,000 active setups, this exposed countless sites to confidential, unauthenticated attacks efficient in seriously jeopardizing their stability.”

Rodriquez stated WP Scan found the vulnerability while evaluating the compromise of a consumer’s website. The company discovered that the preliminary vector was CVE-2024-11972. The make use of permitted the hackers behind the attack to trigger susceptible websites to instantly browse to wordpress.org and download WP Query Console, a plugin that hasn’t been upgraded in years.