cbcvebase.
CVE-2024-11972
published 2024-12-31

CVE-2024-11972: The Hunk Companion WordPress plugin before 1.9.0 does not correctly authorize some REST API endpoints, allowing unauthenticated requests to install and…

PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
54.75%
98.9th percentile
The Hunk Companion WordPress plugin before 1.9.0 does not correctly authorize some REST API endpoints, allowing unauthenticated requests to install and activate arbitrary Hunk Companion WordPress plugin before 1.9.0 from the WordPress.org repo, including vulnerable Hunk Companion WordPress plugin before 1.9.0 that have been closed.

Affected

1 ranges
VendorProductVersion rangeFixed in
themehunkhunk_companion< 1.9.01.9.0

Detection & IOCsextracted from sources · hover to see the quote

url/wp-json/hc/v1/themehunk-import
url/wp-json/gutenkit/v1/install-active-plugin
path/up
path/background-image-cropper
path/ultra-seo-processor-wp
path/oke
path/wp-query-console
filenameup.zip
commandPOST /wp-json/hc/v1/themehunk-import HTTP/1.1
yara
fofa-query: body="/wp-content/plugins/hunk-companion/"
  • Check for the presence of the wp-query-console plugin directory on disk; attackers install this outdated plugin (last updated 7+ years ago) to achieve unauthenticated RCE via CVE-2024-50498.
  • Look for PHP dropper files written to the WordPress site root directory; the dropper enables continued unauthenticated file uploads via GET requests as a persistent backdoor.
  • Inspect for a malicious plugin disguised as a component of the All in One SEO plugin that auto-logs in the attacker as an administrator; this is part of the 'up' ZIP payload dropped by attackers.
  • The exploit payload uses Content-Type: application/json with a JSON body containing 'params', 'templateType', 'plugin', and 'allPlugins' keys — use this structure to build WAF or IDS signatures for the themehunk-import endpoint.
  • Wordfence blocked 8.7 million attack attempts on October 8–9 alone; high-volume IP addresses were identified by Wordfence as driving these malicious requests and should be used to build network-level blocks.
  • ·CVE-2024-11972 affects Hunk Companion versions up to and including 1.8.5 (and earlier); the patch was introduced in version 1.9.0. Note that a prior patch in 1.8.5 (CVE-2024-9707) was insufficient and bypassable.
  • ·Despite fixes being available since December 2024, a large number of sites remain on vulnerable versions; at time of reporting only ~1,800 downloads of the patched 1.9.0 had occurred, leaving ~8,000+ sites exposed.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.