Tag Archives: WPScan

New episode “In The Trend of VM” (#11): vulnerabilities that became trending in December and the final report on trending vulnerabilities for 2024

New episode “In The Trend of VM” (#11): vulnerabilities that became trending in December and the final report on trending vulnerabilities for 2024. I made this episode exclusively for the Telegram channel @avleonovcom “Vulnerability Management and More”.

Video on YouTube, LinkedIn
Post on Habr (rus)
Digest on the PT website

Content:

00:00 Greetings
00:28 Elevation of Privilege – Windows Kernel Streaming WOW Thunk Service Driver (CVE-2024-38144)
01:30 Elevation of Privilege – Windows Common Log File System Driver (CVE-2024-49138)
02:37 Remote Code Execution – Apache Struts (CVE-2024-53677)
03:31 Authentication Bypass – Hunk Companion WordPress plugin (CVE-2024-11972)
04:44 Trending vulnerabilities for 2024

08:10 Channel mascot

На русском

About Authentication Bypass – Hunk Companion WordPress plugin (CVE-2024-11972) vulnerability

Leave a reply

About Authentication Bypass – Hunk Companion WordPress plugin (CVE-2024-11972) vulnerability. ThemeHunk company develops commercial themes for WordPress CMS. And the Hunk Companion plugin is designed to complement and enhance the functionality of these themes. The plugin has over 10,000 installations.

On December 10, WPScan reported a vulnerability in Hunk Companion plugin versions below 1.9.0, allowing unauthenticated attackers to install and activate plugins from the WordPressOrg repository. The exploit has been on GitHub since December 28.

This way, attackers can install plugins that contain additional vulnerabilities. In the incident analyzed by WPScan, the attackers installed the WP Query Console plugin with RCE vulnerability CVE‑2024‑50498 on the website and exploited it to install a backdoor.

If you use WordPress, try to minimize the number of plugins and update them regularly!

На русском

This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.

Alexander V. Leonov

Vulnerability Management and more

Tag Archives: WPScan

New episode “In The Trend of VM” (#11): vulnerabilities that became trending in December and the final report on trending vulnerabilities for 2024

About Authentication Bypass – Hunk Companion WordPress plugin (CVE-2024-11972) vulnerability