In a recent cybersecurity incident, a critical vulnerability in the WordPress Hunk Companion plugin has been exploited by attackers to silently install and activate vulnerable plugins from the WordPress.org repository. This flaw, identified as CVE-2024-9707, poses a significant threat to WordPress sites, enabling unauthorized plugin installations that can lead to severe security breaches.

The Hunk Companion plugin, widely used for enhancing WordPress site functionalities, has been found to contain a critical flaw in versions up to and including 1.8.4. This vulnerability allows unauthenticated attackers to exploit the plugin’s REST API endpoint, /wp-json/hc/v1/themehunk-import, to install and activate plugins without proper authorization.

Method of Exploitation

The exploitation process involves a two-step attack:

1. Unauthenticated Installation/Activation: Attackers exploit the vulnerability to install and activate the now-closed and vulnerable plugin, WP Query Console.
2. Remote Code Execution (RCE): The vulnerability in WP Query Console is then leveraged to execute arbitrary and malicious PHP code on the compromised site.

In documented cases, attackers used the RCE to deploy a PHP dropper in the site’s root directory, allowing persistent backdoor access via GET requests.

Investigation and Findings

The vulnerability was uncovered during an investigation into a WordPress site infection. Access logs revealed that the modification times of a suspicious PHP file in the root directory coincided with POST requests to the Hunk Companion and WP Query Console endpoints.

Further analysis confirmed that the vulnerability persisted even in version 1.8.7 of the Hunk Companion plugin, despite claims of a fix in version 1.8.5. The flaw was traced to the code responsible for handling plugin installations, which failed to properly validate user permissions and nonce values

Code Analysis

The vulnerability stems from the following code in hunk-companion/import/core/class-installation.php:

register_rest_route('hc/v1', 'themehunk-import', array(
  'methods' => 'POST',
  'callback' => array($this, 'tp_install'),
  'permission_callback' => function () {
    if (!is_user_logged_in()) {
      return new WP_REST_Response('Unauthorized: User not logged in', 401);
    }
    if (!current_user_can('install_plugins')) {
      return new WP_REST_Response('Unauthorized: Insufficient capabilities', 401);
    }
    $nonce = $request->get_header('X-WP-Nonce');
    if (!wp_verify_nonce($nonce, 'hc_import_nonce')) {
      return new WP_REST_Response('Unauthorized: Invalid nonce', 401);
    }
    return true;
  },
));

The permission_callback function incorrectly returns WP_REST_Response objects instead of boolean values, causing the permission checks to always pass

Recommendations to Mitigate Future Threats

To prevent similar vulnerabilities and enhance WordPress site security, consider the following best practices:

1. Regularly Update Plugins: Ensure all plugins are updated to their latest versions to benefit from security patches.
2. Use Trusted Plugins: Only install plugins from reputable sources and verify their credibility.
3. Implement Strong Access Controls: Restrict plugin installation and activation permissions to trusted administrators.
4. Enable Security Plugins: Use security plugins to monitor and block unauthorized activities.
5. Conduct Regular Security Audits: Periodically audit your site for vulnerabilities and unusual activities.
6. Employ Web Application Firewalls (WAF): Deploy WAFs to filter and monitor HTTP requests.
7. Backup Regularly: Maintain regular backups of your site to recover quickly from security incidents.
8. Monitor Logs: Regularly review access and error logs for signs of suspicious activities.
9. Educate Users: Train site administrators and users on security best practices.
10. Use Strong Passwords: Enforce the use of strong, unique passwords for all user accounts.

Conclusion

The exploitation of the Hunk Companion plugin vulnerability underscores the importance of rigorous security practices in managing WordPress sites. By staying vigilant and implementing robust security measures, site administrators can mitigate the risks posed by such vulnerabilities.

Want to stay on top of cybersecurity news? Follow us on Facebook, X (Twitter), Instagram, and LinkedIn for the latest threats, insights, and updates!