A serious security vulnerability has been discovered in the Hunk Companion plugin for WordPress, affecting versions before 1.9.0.
Researches at WPScan found the vulnerability of the Hunk Companion, a plugin used for themes by ThemeHunk, through a failed validation from a hardlink within the plugin’s code to WordPress’ plugin repository. The vulnerability allows unauthenticated requests to install and activate plugins, known vulnerable or closed plugins too, directly from the WordPress repository which can then be exploited to execute malicious actions such as stealing sensitive data, modifying information, and even gaining administrative access to the affected sites.
As of the current version 1.9.1, the vulnerability has been patched. The plugin is active in use on over 10,000 sites, however, so many may still be running the vulnerable version.
Website owners using this plugin are urged to update to the latest release as soon as possible to protect their sites from further attacks.
Leave a Reply