- Description
- The Hunk Companion plugin for WordPress is vulnerable to unauthorized plugin installation/activation due to a missing capability check on the /wp-json/hc/v1/themehunk-import REST API endpoint in all versions up to, and including, 1.8.4. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated.
- Source
- security@wordfence.com
- NVD status
- Analyzed
CVSS 3.1
- Type
- Secondary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
- security@wordfence.com
- CWE-862
- Hype score
- Not currently trending
🚨 PoC for CVE-2024-9707 🚨 Exploits a flaw in the WordPress Hunk Companion plugin, enabling attackers to install & activate arbitrary plugins via /wp-json/hc/v1/themehunk-import API. 🔗 https://t.co/9jeIdkRsVL #Exploit #hacker #LosAngelesFire
@Nxploited
13 Jan 2025
10 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-9707 Exploited in the wild WordPress Hunk Companion plugin vulnerable to unauthorized plugin due to a missing capability check on the /wp-json/hc/v1/themehunk-import REST API endpoint <= 1.8.4 CVSS3 base 9.8, Impact 5.9, Network https://t.co/3sDvf8lRBS
@vFeed_IO
12 Dec 2024
124 Impressions
1 Retweet
2 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:themehunk:hunk_companion:*:*:*:*:*:wordpress:*:*",
"vulnerable": true,
"matchCriteriaId": "E4E5B956-35DC-429A-8360-E0F17071B801",
"versionEndExcluding": "1.8.5"
}
],
"operator": "OR"
}
]
}
]