Unauthorized Plugin Installation/Activation Vulnerability Affects Hunk Companion for WordPress
CVE-2024-9707

9.8CRITICAL

Key Information:

Vendor: Wordpress
Status: Hunk Companion
Vendor: CVE Published:; 11 October 2024

Badges

👾 Exploit Exists🟡 Public PoC

Summary

The Hunk Companion plugin for WordPress is susceptible to an unauthorized plugin installation and activation vulnerability. This issue arises from an absence of capability checks on the /wp-json/hc/v1/themehunk-import REST API endpoint in all versions up to 1.8.4. As a result, unauthenticated attackers can potentially install and activate arbitrary plugins on affected WordPress sites. If a vulnerable plugin is also installed, this flaw may lead to remote code execution, significantly increasing the risk for site owners and users. Addressing this vulnerability is crucial for maintaining the integrity and security of your WordPress environment.

Affected Version(s)

Hunk Companion * <= 1.8.4

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-9707
Created by RandomRobbieBF

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://github.com/WordPressBugBounty/plugins-hunk-compan...

https://wordpress.org/plugins/hunk-companion/

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Oct 11, 2024
👾
Exploit known to exist
Oct 11, 2024
Vulnerability published
Oct 11, 2024
Vulnerability Reserved
Oct 9, 2024

Credit

Sean Murphy