Overview
This critical vulnerability in the Hunk Companion plugin exposed thousands of WordPress websites to severe security risks. The flaw allowed attackers to install and activate vulnerable or removed plugins, enabling them to execute malicious code remotely.
Attack Vector
Attack Vector
Attackers exploited this vulnerability in a two-step process:
- Installation of Vulnerable Plugin: They installed and activated the WP Query Console plugin, which was known to have an RCE vulnerability (CVE-2024-50498).
- Execution of Malicious Code: Leveraging the RCE in WP Query Console, attackers executed malicious PHP code, such as deploying a PHP dropper to maintain persistent unauthorized access.
Root Cause
The core issue stemmed from an improper implementation of the permission_callback function. This function, intended to restrict unauthorized access, was incorrectly configured to always evaluate as true. As a result, unauthenticated requests could bypass security checks, allowing attackers to install and activate plugins without proper authorization.
Attack Flow
- Unauthorized API Usage: Attackers send POST requests to
/wp-json/hc/v1/themehunk-import, leveraging the endpoint to install the WP Query Console plugin without authentication. - Command Execution: Using the newly installed WP Query Console plugin, attackers send POST requests to the
/wqc/v1/queryendpoint, executing arbitrary PHP commands. - File Upload: This PHP command execution enables the upload of a malicious PHP file (e.g.,
/aea74fff3c02.php) to the root directory. - .Persistent Access: The backdoor file allows attackers to maintain unauthorized access through GET requests targeting the malicious file.
Impact
Successful exploitation of this vulnerability could lead to severe consequences, including:
- Remote Code Execution (RCE): Attackers could execute arbitrary code on the compromised server, potentially taking full control of the website.
- SQL Injection: Attackers could inject malicious SQL queries to manipulate or steal sensitive data from the database.
- Cross-Site Scripting (XSS): Attackers could inject malicious scripts into web pages, compromising user sessions and stealing sensitive information.
- Persistent Backdoors: Attackers could establish persistent backdoors to maintain unauthorized access to the website.
Indicators of Compromise (IOCs)
- API Endpoint Exploitation: Unauthenticated POST requests to
/wp-json/hc/v1/themehunk-importand/wqc/v1/query. - Unauthorized Files: Presence of randomly named PHP files (e.g.,
/aea74fff3c02.php) in the root directory. - Log Timeline: Access logs showing a sequence of:
- POST requests to
/wp-json/hc/v1/themehunk-import - POST requests to
/wqc/v1/query - GET requests to backdoor files.
- POST requests to
Mitigation
- Update Plugin: Upgrade to version 1.9.0 or later.
- Review Logs: Audit access logs for suspicious API activity.
- Remove Backdoors: Identify and delete unauthorized files and plugins.
- Restrict API Access: Implement authentication for REST API endpoints.
Best Practices
To protect your WordPress website from this vulnerability and similar threats, follow these best practices:
- Keep Plugins and Themes Updated: Regularly update all plugins and themes to the latest versions to address security vulnerabilities.
- Use Reputable Plugins and Themes: Choose plugins and themes from trusted developers with active maintenance and security updates.
- Disable Unnecessary Plugins and Themes: Remove any plugins or themes that are not actively used to reduce the attack surface.
- Implement Strong Password Policies: Use strong, unique passwords for all administrative accounts.
- Enable Two-Factor Authentication (2FA): Add an extra layer of security by enabling 2FA for administrative accounts.
- Regularly Scan for Vulnerabilities: Use security scanning tools to identify and address potential vulnerabilities.
- Stay Informed: Keep up-to-date with the latest security advisories and best practices for WordPress.