Another major WordPress plugin has been hacked to try and hijack your sites




  • Researchers from WPScan find flaw in Hunk Companion, a plugin with roughly 10,000 users
  • The flaw allows crooks to install other plugins from the WP repository, including those with known RCE flaws
  • WPScan found the flaw while investigating an active attack

Hackers have reportedly found a way to install old, outdated, and vulnerable plugins on WordPress websites, directly from the WordPress plugin repository. That way, they are able to introduce vulnerabilities to target sites made with the website builder, which grant them remote code execution (RCE) abilities, SQL injection, cross-site scripting (XSS), admin account creation, and more.

The bug that allows crooks to do that was found in Hunk Companion, a utility plugin designed to enhance the functionality of WordPress themes developed by ThemeHunk.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *