CVE-2024-50498

Name of the Vulnerable Software and Affected Versions: WP Query Console versions n/a through 1.0 Hunk Companion versions prior to 1.9.0

Description: The issue is related to an Improper Control of Generation of Code ('Code Injection') vulnerability, which allows code injection. This vulnerability affects WP Query Console and can be used to execute commands on the target website, potentially leading to backdoor access and full control over the website. According to WPScan, hackers have been using vulnerabilities in Hunk Companion and WP Query Console plugins to gain permanent backdoor access to vulnerable WordPress websites. Approximately 90% of the 10,000 installations of the Hunk Companion plugin are reportedly still running on unpatched versions. Defiance has blocked over 56,000 attacks targeting the Hunk Companion vulnerability in the last 24 hours.

Recommendations: For WP Query Console versions n/a through 1.0: Immediate deactivation and uninstallation are recommended. For Hunk Companion versions prior to 1.9.0: Update to version 1.9.0 as soon as possible and check the site for signs of intrusion, including the installation of WP Query Console or other plugins.