Active Exploit Threatens Thousands of WordPress Sites With Critical Hunk Companion Flaw (CVE-2024-11972) Despite Patch

A critical flaw in a widely used WordPress plugin remains actively exploited on thousands of sites, even after patches were released. The vulnerability in the Hunk Companion plugin (CVE-2024-11972) allows unauthenticated attackers to execute malicious code by installing and activating arbitrary plugins, putting the integrity of affected sites at immediate risk. The risk is compounded by a second, independently dangerous vulnerability in the WP Query Console plugin (CVE-2024-50498), which carries a severity score of 10 and remains unpatched in many environments. With about 10,000 sites using Hunk Companion and fewer than one in every ten users having applied the patch, tens of thousands of sites could be exposed to rapid, automated exploitation. This report lays out how the exploitation chain works, the patch status across affected plugins, the potential impact for site owners, and concrete steps for remediation and defense.

Overview of the vulnerability and affected ecosystem

WordPress sites relying on the Hunk Companion plugin are at the center of a significant, multifaceted threat landscape. The primary vulnerability, CVE-2024-11972, resides in Hunk Companion and has a severity rating of 9.8 out of 10. The exposure is especially alarming because the flaw enables unauthenticated requests to bypass built-in security checks, facilitating the installation and activation of arbitrary plugins on affected sites. The plugin runs on roughly 10,000 WordPress installations, creating a broad attack surface that can enable attackers to take over site functionality, modify content, or embed backdoors that persist across site restarts and user sessions.

Compounding the danger is the fact that the exploitation chain leverages a second vulnerability in an older plugin, WP Query Console, tracked as CVE-2024-50498. This flaw carries a severity score of 10 and remains unpatched in many environments. In the observed attack flow, compromised sites automatically redirect to wordpress.org to fetch the WP Query Console plugin, which has not seen recent updates for years. The combination of these two flaws creates a pathway for remote, unauthenticated attackers to gain full control over vulnerable WordPress sites.

The patch for Hunk Companion was released in version 1.9.0, just days before the public notice of ongoing exploitation. Earlier, developers had addressed a related vulnerability in a previous patch (version 1.8.5) that was associated with CVE-2024-9707, also rated at 9.8. The early patch uptake on the Hunk Companion side was limited: at the time of reporting, less than 12 percent of users had applied the update, meaning a substantial share—approximately 9,000 sites or more—remained exposed and within the attackers’ reach. These numbers underscore a broader issue: even when patches exist, adoption lags can leave large swaths of the WordPress ecosystem vulnerable for extended periods.

Crucially, the vulnerability in Hunk Companion is tied to a flaw in the plugin’s code that allowed “unauthenticated requests to bypass the intended checks” and resulted in the “installation and activation of arbitrary plugins.” This design weakness creates direct pathways for attackers to implant malicious plugins, which can serve as backdoors, data harvesters, or tools for defacement and persistence. The attackers’ end goal is not merely to compromise a single vulnerability but to establish a foothold across multiple layers of WordPress environments, leveraging chained weaknesses to maximize impact.

In parallel, the WP Query Console vulnerability (CVE-2024-50498) represents a separate, high-severity flaw. The unpatched status of this vulnerability means that, even if a site upgrades Hunk Companion, if WP Query Console remains installed and unpatched, the attacker’s ability to execute malicious code remains intact through a different vector. The attack chain observed by security researchers shows a clear pattern: initial exploitation of Hunk Companion to trigger a redirect to a stale plugin, followed by exploitation of WP Query Console’s vulnerability to achieve remote code execution. The synergy between these vulnerabilities magnifies the overall risk to WordPress sites using both products.

Language in the security community has consistently described this scenario as a significant, multifaceted threat. The combination of unauthenticated access, automated plugin installation, and remote code execution creates a compelling incentive for attackers to automate probes across the WordPress ecosystem. For site operators who may not routinely monitor plugin integrity, the risk becomes an ongoing, real-time security concern rather than a one-off vulnerability notice. In this context, the patch cadence, adoption speed, and alignment between plugin developers and site owners become central to reducing exposure and preventing catastrophic outcomes.

Attack chain and exploitation mechanics

The exploit chain begins with the CVE-2024-11972 vulnerability in Hunk Companion. In practice, the flaw enables attackers to craft unauthenticated requests that circumvent the plugin’s intended checks. This loophole allows the attacker to orchestrate the installation and activation of arbitrary plugins on a compromised WordPress site. In other words, once an attacker can trigger the vulnerability, they can programmatically push and enable code modules that operate with the site’s permissions, effectively granting themselves control over the site’s behavior and data.

Security researchers deduced the operating sequence by analyzing compromised customer sites. The initial compromise occurred when attackers leveraged the Hunk Companion vulnerability to direct the site to a WordPress.org-hosted resource—specifically, the WP Query Console plugin. The redirection is notable: it shows how attackers exploit one vulnerability to obtain a second, highly weaponized payload. The WP Query Console plugin, due to its own vulnerabilities, provided a pathway to execute malicious code within the site environment.

Once the vulnerable site downloads and installs WP Query Console, attackers then exploit CVE-2024-50498 in WP Query Console to execute code on the target site. This step represents a classic chain of exploitation: a first-stage vulnerability that permits plugin deployment, followed by a second-stage vulnerability that completes a full remote code execution (RCE) capability. The severity score of 10 for CVE-2024-50498 emphasizes the immediate and decisive risk posed by this vulnerability, as it can give attackers full control over the WordPress environment.

An important detail in the observed exploitation chain is the temporary unavailability of WP Query Console on WordPress.org. In October, the plugin was listed as temporarily unavailable pending review, which indicates ongoing scrutiny by the repository maintainers. Despite this status, attackers managed to retrieve the plugin via a workaround: they used a specialized WordPress.org URL that allowed the retrieve-and-install process to bypass the block. This technique demonstrates a sophisticated understanding of how WordPress.org moderation and plugin distribution mechanisms can be manipulated during a live attack, underscoring the need for rapid, coordinated responses from plugin authors and platform operators.

The vulnerability in Hunk Companion stems from a flaw in its code that enables unauthenticated requests to bypass checks. This flaw is essential to the attack chain because it creates the initial foothold from which the attacker can push the subsequent payloads, including the WP Query Console plugin. Once the arbitrary plugins are installed and activated, attackers can choose actions that maximize control over the site, including persistence mechanisms, data exfiltration pipelines, or defacement. The combined effect of these vulnerabilities underscores the importance of defense-in-depth, as single-vector mitigations may not be sufficient when an attacker can pivot from one compromised component to another.

Version 1.9.0 of Hunk Companion, released shortly after the disclosure of CVE-2024-11972, addresses the vulnerability by closing the bypass path and enforcing checks that prevent arbitrary plugin installation and activation from unauthenticated requests. A prior patch, version 1.8.5, targeted a related vulnerability tracked as CVE-2024-9707, also with a 9.8 severity rating. However, even with these patches available, the observed patch adoption rates were historically low, exemplified by the less-than-12-percent figure. These dynamics illustrate a common challenge in software security: even when fixes exist, the operational realities of site management and plugin maintenance can delay remediation, enabling adversaries to continue targeting unpatched sites.

The technical complexity of the attack is further heightened by the interplay between the two exploited components. The Hunk Companion vulnerability creates the initial vulnerability window and enables redirection to the WP Query Console plugin, while the WP Query Console vulnerability provides the actual mechanism for remote code execution. This layered approach demonstrates why defenders should treat patched components as a system rather than in isolation. A vulnerability fixed in one plugin may still be exploited if a dependent component remains vulnerable, or if an attacker can circumvent protection mechanisms via alternative routes.

WP Query Console vulnerability and current status

The WP Query Console vulnerability (CVE-2024-50498) is the second critical element in the exploitation chain. It represents a high-severity flaw that enables remote code execution when exploited. The CVSS-like severity score of 10 signals that the vulnerability is severe and exploitable under typical conditions, especially in environments where WP Query Console remains installed and unpatched. The fact that this plugin had limited to no recent updates intensifies concerns, as legacy codebases are often more prone to exceptions, misconfigurations, and unaddressed security flaws. The plugin’s own status on WordPress.org—being temporarily unavailable in October pending review—suggests ongoing evaluation by repository maintainers. This status complicates remediation for site owners, since a critical component remains in limbo while attackers may attempt to leverage it.

Attackers’ ability to pivot around a block on WP Query Console, using a special WordPress.org URL to override the block, illustrates how adversaries adapt to protective measures. Even with a temporary block in place, attackers managed to obtain the plugin by exploiting a URL mechanism that bypassed the intended restrictions. This highlights the fragility of relying solely on repository-level blocks without addressing the underlying vulnerability in the plugin’s code and its integration with WordPress sites. From a defender’s point of view, the WP Query Console vulnerability is a reminder that zero-day-like risk can persist as long as a critical component remains unpatched or unmaintained.

The critical takeaway for operators is clear: the WP Query Console plugin’s vulnerability remains a high-priority risk area even if WordPress.org temporarily removes the plugin from distribution. Administrators should assume that any unpatched component in the chain can be a point of compromise, and they should implement compensating controls such as minimizing plugin usage, hardening configurations, and preparing for rapid incident response if exploitation is detected. The combination of Hunk Companion’s unauthenticated bypass and WP Query Console’s remote code execution potential creates an ecosystem-wide incentive for attackers to automate attacks against vulnerable WordPress installations.

Patch development and rollout status

Patch history for Hunk Companion shows responsive development, with version 1.9.0 addressing the core CVE-2024-11972 flaw and providing a more robust validation process to prevent arbitrary plugin installation and activation without proper authorization. Earlier, version 1.8.5 addressed a related vulnerability tracked as CVE-2024-9707, which carried the same severity rating of 9.8. These patches reflect a concerted effort by plugin developers to close the most alarming exposure points. However, patch adoption remains a critical challenge for site operators, as evidenced by the low uptake rate—less than 12 percent at the time of reporting. The practical implication is that, despite patches existing, a substantial portion of sites could still be vulnerable to the same exploitation chain.

The patch for WP Query Console remains problematic due to its unpatched status and intermittent availability on WordPress.org. The plugin’s temporary unavailability, while under review, leaves site owners with a dilemma: whether to continue running a component that may be exploitable or to remove the plugin entirely from the build. The combination of a patched Hunk Companion and an unpatched WP Query Console may still leave vulnerabilities exposed if the WP Query Console vulnerability can be exploited in real-world deployments. The lack of a timely patch for WP Query Console is a major risk factor for any site that relies on that plugin as part of its core functionality.

Patch adoption dynamics are influenced by several factors, including the perceived risk, the compatibility of updates with custom themes and other plugins, and the operational burden of upgrading across large or complex WordPress environments. Administrators often delay updates to minimize downtime or compatibility breakages, which inadvertently increases the attack window during which attackers can leverage existing vulnerabilities. The situation at hand demonstrates why proactive patch management, regular vulnerability scanning, and automated deployment pipelines are critical components of a robust WordPress security strategy. The reality that only a small fraction of users have applied the patch highlights the need for vendor-led guidance, clear upgrade paths, and possibly security bulletins that emphasize rapid mitigation steps for administrators.

In terms of availability of official guidance, WordPress.org representatives did not immediately respond to inquiries about why the override mechanism existed previously or whether it remains available now. The absence of timely comments from the repository maintainers underscores a broader industry challenge: coordinating responses across multiple stakeholders during active exploitation cycles. For site operators, the absence of definitive, published guidance can hinder risk assessment, patch planning, and incident response readiness. It reinforces the value of independent security research, third-party advisories, and proactive hardening practices that do not rely solely on upstream communications.

Impact on WordPress admins and ecosystem

The convergence of these vulnerabilities creates a high-risk scenario for WordPress admins who rely on third-party plugins and themes. The Hunk Companion vulnerability can enable attackers to gain immediate, unauthenticated control over a site by injecting and activating arbitrary plugins. When attackers can inject and enable malicious components directly into a site, they can introduce backdoors, alter critical site configurations, and implement covert channels for ongoing exploitation. The fact that this vulnerability can be triggered without user authentication dramatically raises the severity for admins who may not routinely monitor every plugin installation or activation event.

Meanwhile, the WP Query Console vulnerability adds another layer of risk by enabling remote code execution. An unpatched WP Query Console component can transform a compromised site into a platform for broader attacks, including data exfiltration, credential harvesting, and further exploitation of connected services. The dual-threat dynamic—unauthenticated plugin installation combined with remote code execution—amplifies the potential impact across thousands of WordPress sites in a short time window.

The broader WordPress ecosystem faces several potential consequences. First, there is the risk of data compromise, including site configuration data, custom post types, and user information. Second, attackers may establish persistence mechanisms, creating backdoors that survive site restarts and plugin reconfigurations. Third, the integrity and reliability of site content can be affected, including the potential for defacement or manipulation of site behavior. Finally, the attack surface for subsequent intrusions increases as compromised sites can be used as footholds for further lateral movement, supply-chain-style compromises, or botnet activities that coordinate across multiple targets.

A critical factor in assessing impact is patch adoption. If fewer than 12 percent of affected sites have updated Hunk Companion to version 1.9.0, a sizable number of WordPress deployments remain exposed, prolonging the window during which attackers can identify, compromise, and weaponize vulnerable environments. This reality highlights the importance of rapid, coordinated remediation strategies that combine software updates with vigilant monitoring and incident response readiness. It also emphasizes the need for site operators to review both plugin and theme ecosystems, as the threat is not limited to a single plugin but includes the interaction between Hunk Companion, ThemeHunk, and the WP Query Console.

Industry observers underscore the importance of defense-in-depth in mitigating the exposed risk. No single patch will fully resolve the issue unless it is complemented by monitoring, access control, and secure plugin management. Administrators should consider temporarily limiting plugin installations, reviewing authentication controls for plugin activation, and implementing network and application layer protections that can detect unusual plugin deployment patterns. This holistic approach is essential when dealing with chained vulnerabilities that can be exploited in rapid succession by motivated attackers.

Remediation guidelines and defense recommendations

For WordPress site owners and administrators, a structured remediation plan is essential to reduce exposure and mitigate ongoing risk. The following guidance synthesizes best practices with the specifics of this vulnerability scenario:

• Immediately verify whether Hunk Companion is installed on any WordPress site in your environment and confirm the version in use. If the site uses Hunk Companion, upgrade to version 1.9.0 or later to close the unauthenticated bypass vulnerability and prevent arbitrary plugin installation and activation.

• Check for the presence of the WP Query Console plugin and assess whether it is installed, enabled, and up to date. Given CVE-2024-50498’s severity, administrators should seek patches or official guidance from plugin maintainers. If a patch is unavailable or the plugin is no longer needed, consider removal or temporary disabling until a safe remediation is confirmed.

• Run a comprehensive vulnerability assessment across all WordPress instances to identify signs of compromise, including unusual plugin installations, unexpected file changes, or defaced web content. Investigate logs for anomalous activity, such as unexpected redirects to WordPress.org or autonomous plugin installation events.

• Conduct a sweep of themes and plugins for compatibility issues. Since the core risk hinges on interaction between Hunk Companion and the ThemeHunk ecosystem, ensure that all components are compatible with updated security controls and that no deprecated dependencies are left in place.

• Deploy a staged upgrade strategy to minimize downtime. Test upgrades in a controlled environment before applying changes to production sites. This approach helps identify and resolve potential compatibility problems that could otherwise disrupt site availability.

• Implement defense-in-depth measures, including web application firewall (WAF) rules that flag anomalous plugin installation activity, restricted permissions for plugin activation, and enhanced monitoring of file integrity. Use least-privilege principles to reduce the risk of exploitation during upgrade processes.

• Enforce robust backup and recovery protocols. Regularly back up site data, including database and file systems, and validate the ability to restore from backups quickly if post-upgrade anomalies are detected.

• Apply credential hygiene and access controls. Rotate all admin credentials and ensure that users with elevated privileges are monitored for unusual login patterns. Review access control policies to prevent unauthorized changes to plugin configurations.

• Maintain ongoing monitoring for new advisories from plugin developers and security researchers. Given the fast-evolving nature of vulnerability exploit campaigns, stay informed about any new patches, workarounds, or mitigation steps that apply to Hunk Companion, ThemeHunk, and WP Query Console.

• Plan for emergency incident response. Establish a response playbook that defines escalation paths, containment steps, and post-incident remediation workflows to minimize damage in the event of a confirmed compromise.

• Consider discontinuing reliance on deprecated plugins. If a plugin is no longer actively maintained or cannot be patched promptly, assess alternatives that offer similar functionality with a stronger security posture and ongoing support.

• Communicate with users and stakeholders. If your site handles user data or financial information, inform relevant stakeholders about the risk and the steps you are taking to address it, while avoiding over-promotion or speculative statements.

• Review and adjust deployment practices to reduce risk going forward. Implement continuous integration and continuous deployment (CI/CD) practices with security gates that prevent vulnerable code from entering production. Reinforce plugin vetting processes to ensure that third-party components meet security standards before deployment.

By following these remediation steps, WordPress site operators can reduce exposure to CVE-2024-11972 and CVE-2024-50498 while maintaining operational stability. Until patches are consistently applied across all affected components, administrators should assume that exploitation is possible and keep monitoring for indicators of compromise. The overarching objective is to restore site integrity, protect user data, and prevent the deployment of malicious code through compromised plugin channels.

Industry response and guidance for site operators

Security researchers and independent analysts emphasize the need for proactive defense strategies in light of these vulnerabilities. The observed exploitation chain—combining unauthenticated plugin installation with remote code execution—demonstrates how attackers optimize their chances by exploiting multiple weaknesses in adjacent components. Researchers advise administrators to treat any unpatched component with heightened scrutiny, even if other parts of the system have been patched. The vulnerability landscape is dynamic, and attackers often adapt quickly to preventive measures such as patching, so timely, coordinated action is essential.

The WP Scan team highlighted the risk of thousands of sites remaining exposed, given the large number of active Hunk Companion installations and the patch adoption gap. The analysis emphasizes that the combination of CVE-2024-11972 and CVE-2024-50498 creates a significant attack surface, reinforcing the need for rapid remediation, thorough monitoring, and layered security controls. In addition to patching, they underscore the importance of verifying that blocked or deprecated plugins are not reintroduced through alternative mechanisms or loopholes, and that the WordPress ecosystem as a whole remains resilient against chained vulnerabilities.

WordPress.org representatives did not promptly respond to inquiries about the override mechanism that attackers used to obtain the WP Query Console plugin. This underscores the broader challenge of coordinating security responses across disparate stakeholders in an active threat scenario. For site operators, the absence of immediate official guidance means relying on independent security advisories, vendor notices, and best-practice security frameworks to drive timely action. The combined message to administrators is clear: implement strong patching discipline, verify plugin integrity through trusted channels, and apply defense-in-depth measures that minimize the likelihood of a successful chain attack.

Practical guidance for site owners and operators

To translate this risk into actionable steps on the ground, operators should implement the following pragmatic measures:

• Audit plugin inventory across all WordPress installations to identify Hunk Companion and WP Query Console components. Document versions, patch status, and any signs of modification that could indicate compromise.

• Upgrade Hunk Companion to version 1.9.0 or newer, and verify that the upgrade has completed successfully without errors. After upgrading, perform a thorough integrity check to ensure no unauthorized plugins remain active.

• If WP Query Console is present, determine whether a patch is available and apply it promptly. If no patch exists, assess whether removing the plugin from the site is feasible and advisable, given the plugin’s role and risk profile.

• Implement network and host-level monitoring to detect unusual plugin activation events, file changes, or redirects to external resources. Establish alerting for anomalous behavior that could point to an ongoing exploitation attempt.

• Harden WordPress environments by applying strong defense-in-depth controls, including strict file permissions, disabling unused features, and limiting permission scopes for users who can install or activate plugins.

• Validate site backups and implement a rapid recovery plan. Regularly test restoration processes to reduce downtime and ensure momentum in the event of an attack or post-patch troubleshooting.

• Avoid relying on deprecated plugins for critical functionality. Where possible, migrate to actively maintained alternatives with robust security support and timely updates.

• Maintain security hygiene by rotating credentials, enforcing MFA where possible, and auditing user access on a regular basis.

• Stay informed about new advisories and patch releases from plugin developers, security researchers, and platform maintainers. Integrating a structured vulnerability management process helps ensure timely responses to emerging threats.

• Prepare customer-facing communications where appropriate. If you operate a site that handles sensitive data or serves a large user base, develop clear, accurate messaging about security posture and remediation steps.

• Consider partnering with a security-focused managed service or contractor if in-house capabilities are limited. External expertise can help accelerate patch deployment, monitor for indicators of compromise, and refine incident response readiness.

These practical steps help fortify WordPress environments against both the Hunk Companion CVE-2024-11972 vulnerability and the WP Query Console CVE-2024-50498 flaw, supporting a more resilient ecosystem and reducing the likelihood of successful exploitation by opportunistic attackers.

Conclusion

The ongoing exploitation of CVE-2024-11972 in Hunk Companion, in concert with CVE-2024-50498 in WP Query Console, represents a severe, real-world threat to thousands of WordPress sites. The interconnected nature of these vulnerabilities—where unauthenticated plugin installation can precede remote code execution—creates a dangerous attack surface that demands immediate, coordinated action from site owners, plugin developers, and platform maintainers. Patch adoption remains the most critical defense, but it must be complemented by a comprehensive security program that includes vulnerability scanning, configuration hardening, boundary protections, and robust incident response planning. With patching timelines and ecosystem responses still developing, proactive defense remains essential to safeguard WordPress sites from this high-severity chain of exploits. Implementing the remediation and defense recommendations outlined above will help reduce risk, restore site integrity, and protect users as the WordPress community continues to address these critical vulnerabilities.