/*! elementor-pro - v3.26.0 - 17-12-2024 */ (()=>{"use strict";class Screenshot extends elementorModules.ViewModule{getDefaultSettings(){return{empty_content_headline:"Empty Content.",crop:{width:1200,height:1500},excluded_external_css_urls:["https://kit-pro.fontawesome.com"],external_images_urls:["https://i.ytimg.com"],timeout:15e3,render_timeout:5e3,timerLabel:null,timer_label:`${ElementorScreenshotConfig.post_id} - timer`,image_placeholder:"data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=",isDebug:elementorCommonConfig.isElementorDebug,isDebugSvg:!1,...ElementorScreenshotConfig}}getDefaultElements(){const e=jQuery(ElementorScreenshotConfig.selector),t=e.find(".elementor-section-wrap > .elementor-section, .elementor > .elementor-section");return{$elementor:e,$sections:t,$firstSection:t.first(),$notElementorElements:elementorCommon.elements.$body.find("> *:not(style, link)").not(e),$head:jQuery("head")}}onInit(){return super.onInit(),this.log("Screenshot init","time"),this.timeoutTimer=setTimeout(this.screenshotFailed.bind(this),this.getSettings("timeout")),this.captureScreenshot()}captureScreenshot(){return this.elements.$elementor.length||(elementorCommon.helpers.consoleWarn("Screenshots: The content of this page is empty, the module will create a fake conent just for this screenshot."),this.createFakeContent()),this.removeUnnecessaryElements(),this.handleIFrames(),this.removeFirstSectionMargin(),this.handleLinks(),this.loadExternalCss(),this.loadExternalImages(),Promise.resolve().then(this.createImage.bind(this)).then(this.createImageElement.bind(this)).then(this.cropCanvas.bind(this)).then(this.save.bind(this)).then(this.screenshotSucceed.bind(this)).catch(this.screenshotFailed.bind(this))}createFakeContent(){this.elements.$elementor=jQuery("

").css({height:this.getSettings("crop.height"),width:this.getSettings("crop.width"),display:"flex",alignItems:"center",justifyContent:"center"}),this.elements.$elementor.append(jQuery("

").css({fontSize:"85px"}).html(this.getSettings("empty_content_headline"))),document.body.prepend(this.elements.$elementor)}loadExternalCss(){const e=[this.getSettings("home_url"),...this.getSettings("excluded_external_css_urls")].map((e=>`[href^="${e}"]`)).join(", ");jQuery("link").not(e).each(((e,t)=>{const s=jQuery(t),n=s.clone();n.attr("href",this.getScreenshotProxyUrl(s.attr("href"))),this.elements.$head.append(n),s.remove()}))}loadExternalImages(){const e=this.getSettings("external_images_urls").map((e=>`img[src^="${e}"]`)).join(", ");jQuery(e).each(((e,t)=>{const s=jQuery(t);s.attr("src",this.getScreenshotProxyUrl(s.attr("src")))}))}handleIFrames(){this.elements.$elementor.find("iframe").each(((e,t)=>{const s=jQuery(t),n=jQuery("
",{css:{background:"gray",width:s.width(),height:s.height()}});s.before(n),s.remove()}))}removeUnnecessaryElements(){let e=0;this.elements.$sections.filter(((t,s)=>{let n=!1;return e>=this.getSettings("crop.height")&&(n=!0),e+=jQuery(s).outerHeight(),n})).each(((e,t)=>{t.remove()})),this.elements.$notElementorElements.remove()}handleLinks(){elementorCommon.elements.$body.find("a").attr("href","/")}removeFirstSectionMargin(){this.elements.$firstSection.css({marginTop:0})}createImage(){const e=new Promise((e=>{window.addEventListener("load",(()=>{e()}))})),t=new Promise((e=>{setTimeout((()=>{e()}),this.getSettings("render_timeout"))}));return Promise.race([e,t]).then((()=>{if(this.log("Start creating screenshot."),this.getSettings("isDebugSvg"))return domtoimage.toSvg(document.body,{imagePlaceholder:this.getSettings("image_placeholder")}).then((e=>this.download(e))),Promise.reject("Debug SVG.");return/^((?!chrome|android).)safari/i.test(window.userAgent)?(this.log('Creating screenshot with "html2canvas"'),html2canvas(document.body).then((e=>e.toDataURL("image/png")))):(this.log('Creating screenshot with "dom-to-image"'),domtoimage.toPng(document.body,{imagePlaceholder:this.getSettings("image_placeholder")}))}))}download(e){const t=jQuery("",{href:e,download:"debugSvg.svg",html:"Download SVG"});elementorCommon.elements.$body.append(t),t.trigger("click")}createImageElement(e){const t=new Image;return t.src=e,new Promise((e=>{t.onload=()=>e(t)}))}cropCanvas(e){const t=this.getSettings("crop.width"),s=this.getSettings("crop.height"),n=document.createElement("canvas"),i=n.getContext("2d"),o=t/e.width;return n.width=t,n.height=s>e.height?e.height:s,i.drawImage(e,0,0,e.width,e.height,0,0,e.widtho,e.heighto),Promise.resolve(n)}save(e){return new Promise(((t,s)=>{elementorCommon.ajax.addRequest("screenshot_save",{data:{post_id:this.getSettings("post_id"),screenshot:e.toDataURL("image/png")},success:e=>{this.log(`Screenshot created: ${encodeURI(e)}`),t(e)},error:()=>{this.log("Failed to create screenshot."),s()}})}))}markAsFailed(){return new Promise(((e,t)=>{elementorCommon.ajax.addRequest("screenshot_failed",{data:{post_id:this.getSettings("post_id")},success:()=>{this.log("Marked as failed."),e()},error:()=>{this.log("Failed to mark this screenshot as failed."),t()}})}))}getScreenshotProxyUrl(e){return`${this.getSettings("home_url")}?screenshot_proxy&nonce=${this.getSettings("nonce")}&href=${e}`}screenshotSucceed(e){this.screenshotDone(!0,e)}screenshotFailed(e){this.log(e,null),this.markAsFailed().then((()=>this.screenshotDone(!1)))}screenshotDone(e){let t=arguments.length>1&&void 0!==arguments[1]?arguments[1]:null;clearTimeout(this.timeoutTimer),this.timeoutTimer=null,window.parent.postMessage({name:"capture-screenshot-done",success:e,id:this.getSettings("post_id"),imageUrl:t},""),this.log(`Screenshot ${e?"Succeed":"Failed"}.`,"timeEnd")}log(e){let t=arguments.length>1&&void 0!==arguments[1]?arguments[1]:"timeLog";this.getSettings("isDebug")&&(console.log("string"==typeof e?`${this.getSettings("post_id")} - ${e}`:e),t&&console[t](this.getSettings("timer_label")))}}jQuery((()=>{new Screenshot}))})(); WordPress website security Archives - The Tach https://thetach.com/?tag=wordpress-website-security Thu, 12 Dec 2024 17:06:59 +0000 en-US hourly 1 https://wordpress.org/?v=6.7.1 WordPress Hunk Companion Plugin Exploited to Stealthily Install Risky Plugins https://thetach.com/?p=919 https://thetach.com/?p=919#respond Thu, 12 Dec 2024 17:06:58 +0000 https://thetach.com/?p=919 The WordPress Hunk Companion Plugin has been recently targeted by cyber attackers who used a critical hole to upload insecure versions of plugins secretly. This paragon of security breach has raised eyebrows within WordPressers since it opens websites to high risks. Hackers have abused this vulnerability to inject, for example, plugins beyond those recognized properly ... Read more

The post WordPress Hunk Companion Plugin Exploited to Stealthily Install Risky Plugins appeared first on The Tach.
]]> The WordPress Hunk Companion Plugin has been recently targeted by cyber attackers who used a critical hole to upload insecure versions of plugins secretly. This paragon of security breach has raised eyebrows within WordPressers since it opens websites to high risks. Hackers have abused this vulnerability to inject, for example, plugins beyond those recognized properly with exploitable bugs resulting in data leakage, website cracking, or total system compromise. The specific exploit exploitation of a vulnerability allows the execution of arbitrary code and direct installation of the plugin from the WordPress.org repository. These risky plugins may be out of date or in other words no longer under active development, limiting their security. Such activity is counterproductive and poses a huge threat to WordPress website security, which can bring long-term consequences to website owners.

Understanding the WordPress Hunk Companion Plugin

WordPress Hunk Companion Plugin was intended to boost the features of themes created by ThemeHunk. These themes are quite flexible and if you can install them, you are ready to roll, whether a small business, flying solo, or even a blogger. Though this plugin depends more on Hunk themes, it has become a handy tool for many WordPress users. At present, it is used on more than10,0000 sites. Even though it enjoys this level of popularity and is used on only about 7% of websites, it has not been immune to attackers seeking to capture any loophole that can be used to attack WordPress.

Details of the CVE-2024-11972 Vulnerability

The critical CVE-2024-11972 vulnerability allows attackers to execute unauthenticated plugin installations using specially crafted POST requests. Hackers exploit this flaw to bypass administrative controls and directly install plugins with known security flaws. Discovered by WPScan researcher Daniel Rodriguez, this vulnerability impacts all versions of the WordPress Hunk Companion Plugin released before version 1.9.0. The latest version, which was released as a security update, addresses this critical issue and is strongly recommended for all users.

How the Security Flaw Is Being Exploited

Cybercriminals exploiting the Hunk Companion security flaw have been observed installing outdated plugins like WP Query Console. This precise plugin has such nasty outdated flaws that a hacker can easily gain code execution (RCE) and more. The critical CVE-2024-11972 vulnerability is exploited to upload two PHP scripts to the victim sites. AThesescripts can be useful for such purposes as stealing data, modifying the contents, exploiting the loopholes, and making a persistent wrench to perform attacks in the future. This problem is a clear indication that a call for action and measures should be taken by website owners as soon as possible.

Active Exploitation Observed in the Wild

During their investigations, WPScan researchers documented active exploitation of the Hunk Companion security flaw. On an infected WordPress site, hackers installed risky plugins and placed malicious scripts in the root directory. These scripts enabled attackers to execute commands remotely, allowing continuous control over the compromised site. The presence of PHP droppers, which facilitate repeated unauthorized access, was particularly alarming. Similar techniques have used in other high-profile WordPress attacks, underscoring the sophistication of today’s cyber threats.

A History of Security Challenges

The WordPress Hunk Companion Plugin has faced security issues in the past. An earlier vulnerability has found in version 1.8.5 and termed as CVE-2024-9707. A patch made available, but later, the attackers able to circumvent it and again make the sites all exposed. These recurring vulnerabilities highlight the importance of robust security practices during plugin development. Developers must implement rigorous testing and frequent updates to mitigate risks and protect users.

Why Updating to Version 1.9.0 Is Crucial

There are several things to note regarding the Hunk Companion security vulnerability To put it in context, the release of version 1.9.0 has given a new direction in dealing with the problem. The targeted plugins are reported to in continuous use, and users are encouraged to update them to prevent further abuse on their websites.

Source: darkreading.com

However, the take-up of this release relatively subdued, with less than 20% of users having installed the update. This delay in rolling out updates experienced extensively amongst WordPress users. Many users fail to recognize the urgency of security updates, leaving their websites exposed to serious threats. Website owners must prioritize regular updates to maintain robust WordPress website security.

Practical Steps to Enhance Website Security

To safeguard against similar vulnerabilities and improve overall WordPress website security, consider the following best practices: Do not allow yourself to exploited by failing to update all tools to the latest version. Use reputable security plugins: There is protection and monitoring software available on the market, such as Wordfence and Sucuri. Limit plugin usage: In this context, you should install only the plugins that get updates and updates frequently and that you need. Enable two-factor authentication (2FA): Place an additional security measure on the admin page login. Monitor website activity: Perform scheduled check-ups to look for modifications that made without one’s knowledge, or abnormal behavior.

Consequences of Ignoring Security Flaws

Failing to address vulnerabilities like the Hunk Companion security flaw can lead to severe consequences. These include Loss of sensitive data: Hackers can steal customer information or business records. Business disruption: Website downtime caused by attacks can result in lost revenue. Reputation damage: A hacked website erodes user trust and credibility. Legal implications: They pave the way to litigation or regulatory penalties. Such risks explain why one needs to take preventive measures to safeguard websites from other formidable threats.

Conclusion

The attack on the WordPress Hunk Companion Plugin with the critical CVE-2024-11972 vulnerability is a good example of how dangerous the situation with website security is. Website owners have to be proactive in their approach and constantly learn how to adapt the plugins they use or modify for appropriate security measures as well as keep abreast with any risks. The risks are high: over 8,000 websites remain exposed. Measures should taken before the attacker continues further with the exploitation. And before the site owner or administrator protected against subsequent attacks. It is up to both developers and users to pay more attention to security in the current world of technology.

FAQs

What is the purpose of the WordPress Hunk Companion Plugin?
The plugin enhances Hunk themes, offering additional features and functionality.

What makes CVE-2024-11972 a critical vulnerability?
This flaw allows unauthorized plugin installations via POST requests, compromising websites.

How do hackers exploit outdated plugins like WP Query Console?
Hackers exploit known vulnerabilities in outdated plugins to execute malicious commands.

What measures can improve WordPress website security?
Regular updates, security plugins, and two-factor authentication strengthen website defenses.

The post WordPress Hunk Companion Plugin Exploited to Stealthily Install Risky Plugins appeared first on The Tach.
]]> https://thetach.com/?feed=rss2&p=919 0