Daniel Rodriguez

**Name of the Vulnerable Software and Affected Versions** Hunk Companion WordPress plugin versions prior to 1.9.0 **Description** The Hunk Companion WordPress plugin does not properly authorize certain REST API endpoints, allowing unauthenticated requests to install and activate arbitrary plugins from the WordPress.org repository, including vulnerable plugins. This issue is being actively exploited, impacting over 10,000 websites. Successful exploitation could lead to Remote Code Execution (RCE), SQL Injection, and administrative backdoors. The vulnerability allows attackers to install vulnerable plugins silently. The vulnerable API endpoints are not explicitly specified, but the issue relates to the authorization of requests to install plugins. **Recommendations** Update the Hunk Companion WordPress plugin to version 1.9.0 or later.