CVE-2024-9707

Name of the Vulnerable Software and Affected Versions Hunk Companion plugin for WordPress versions prior to 1.9.0 WP Query Console versions (affected versions not specified)

Description The Hunk Companion plugin for WordPress has a flaw allowing unauthorized plugin installation and activation. This is due to a missing capability check on the /wp-json/hc/v1/themehunk-import API endpoint. Unauthenticated attackers can exploit this to install and activate arbitrary plugins, potentially leading to remote code execution if another vulnerable plugin is already installed. Recent campaigns have actively targeted this and other vulnerabilities in WordPress plugins, with over 8.7 million exploitation attempts blocked by Wordfence. Attackers have been observed installing malicious plugins via platforms like GitHub. The WP Query Console plugin, which has not been updated in seven years, is also being exploited due to a code injection flaw, enabling attackers to execute commands on the target website. Approximately 90% of the 10,000 installations of Hunk Companion are still running a vulnerable version.

Recommendations Update Hunk Companion to version 1.9.0 or later. Remove WP Query Console from your WordPress installation.