Unauthorized Plugin Installation/Activation Vulnerability Affects Hunk Companion for WordPress
CVE-2024-9707
Key Information:
- Vendor
Wordpress
- Status
- Vendor
- CVE Published:
- 11 October 2024
Badges
What is CVE-2024-9707?
The Hunk Companion plugin for WordPress is susceptible to an unauthorized plugin installation and activation vulnerability. This issue arises from an absence of capability checks on the /wp-json/hc/v1/themehunk-import REST API endpoint in all versions up to 1.8.4. As a result, unauthenticated attackers can potentially install and activate arbitrary plugins on affected WordPress sites. If a vulnerable plugin is also installed, this flaw may lead to remote code execution, significantly increasing the risk for site owners and users. Addressing this vulnerability is crucial for maintaining the integrity and security of your WordPress environment.
Affected Version(s)
Hunk Companion * <= 1.8.4
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
References
EPSS Score
87% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 📰
First article discovered by BleepingComputer
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved