PT-2024-9606 · WordPress · Hunk Companion
Daniel Rodriguez
·
Published
2024-12-10
·
Updated
2025-11-01
·
CVE-2024-11972
CVSS v2.0
10
Critical
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Hunk Companion WordPress plugin versions prior to 1.9.0
Description
The Hunk Companion WordPress plugin does not properly authorize certain REST API endpoints, allowing unauthenticated requests to install and activate arbitrary plugins from the WordPress.org repository, including vulnerable plugins. This issue is being actively exploited, impacting over 10,000 websites. Successful exploitation could lead to Remote Code Execution (RCE), SQL Injection, and administrative backdoors. The vulnerability allows attackers to install vulnerable plugins silently. The vulnerable API endpoints are not explicitly specified, but the issue relates to the authorization of requests to install plugins.
Recommendations
Update the Hunk Companion WordPress plugin to version 1.9.0 or later.
Exploit
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Hunk Companion