CVE-2024-11972
published 2024-12-31CVE-2024-11972: The Hunk Companion WordPress plugin before 1.9.0 does not correctly authorize some REST API endpoints, allowing unauthenticated requests to install and…
PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
54.75%
98.9th percentile
The Hunk Companion WordPress plugin before 1.9.0 does not correctly authorize some REST API endpoints, allowing unauthenticated requests to install and activate arbitrary Hunk Companion WordPress plugin before 1.9.0 from the WordPress.org repo, including vulnerable Hunk Companion WordPress plugin before 1.9.0 that have been closed.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| themehunk | hunk_companion | < 1.9.0 | 1.9.0 |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
fofa-query: body="/wp-content/plugins/hunk-companion/"
- →Check for the presence of the wp-query-console plugin directory on disk; attackers install this outdated plugin (last updated 7+ years ago) to achieve unauthenticated RCE via CVE-2024-50498. ↗
- →Look for PHP dropper files written to the WordPress site root directory; the dropper enables continued unauthenticated file uploads via GET requests as a persistent backdoor. ↗
- →Inspect for a malicious plugin disguised as a component of the All in One SEO plugin that auto-logs in the attacker as an administrator; this is part of the 'up' ZIP payload dropped by attackers. ↗
- →The exploit payload uses Content-Type: application/json with a JSON body containing 'params', 'templateType', 'plugin', and 'allPlugins' keys — use this structure to build WAF or IDS signatures for the themehunk-import endpoint. ↗
- →Wordfence blocked 8.7 million attack attempts on October 8–9 alone; high-volume IP addresses were identified by Wordfence as driving these malicious requests and should be used to build network-level blocks. ↗
- ·CVE-2024-11972 affects Hunk Companion versions up to and including 1.8.5 (and earlier); the patch was introduced in version 1.9.0. Note that a prior patch in 1.8.5 (CVE-2024-9707) was insufficient and bypassable. ↗
- ·Despite fixes being available since December 2024, a large number of sites remain on vulnerable versions; at time of reporting only ~1,800 downloads of the patched 1.9.0 had occurred, leaving ~8,000+ sites exposed. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-pp53-3m4v-vvmw: The Hunk Companion WordPress plugin before 1
ghsa_unreviewed·2024-12-31
CVE-2024-11972 [CRITICAL] GHSA-pp53-3m4v-vvmw: The Hunk Companion WordPress plugin before 1
The Hunk Companion WordPress plugin before 1.9.0 does not correctly authorize some REST API endpoints, allowing unauthenticated requests to install and activate arbitrary Hunk Companion WordPress plugin before 1.9.0 from the WordPress.org repo, including vulnerable Hunk Companion WordPress plugin before 1.9.0 that have been closed.
VulnCheck
Hunk Companion Plugin Unauthenticated POST Request Vulnerability
vulncheck·2024·CVSS 9.8
CVE-2024-11972 [CRITICAL] Hunk Companion Plugin Unauthenticated POST Request Vulnerability
Hunk Companion Plugin Unauthenticated POST Request Vulnerability
A vulnerability is present in the Hunk Companion plugin that allows installation and activation of plugins from the Wordpress.org repository via an unauthenticated POST request.
Affected: ThemeHunk Hunk Companion Plugin
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://wpscan.com/blog/unauthorized-plugin-installation-activation-in-hunk-companion/; https://cyble.com/blog/cyble-sensors-wordpress-plugins-network-devices/; https://app.crowdsec.net/cti/cve-explorer/CVE-2024-11972; https://www.loginsoft.com/reports/annually/vulnerability-intelligence-report-2025
Exploit PoC: https://vulnche
No detection rules found.
Exploit-DB
Hunk Companion Plugin 1.9.0 - Unauthenticated Plugin Installation
exploitdb·2025-04-18·CVSS 9.8
CVE-2024-11972 [CRITICAL] Hunk Companion Plugin 1.9.0 - Unauthenticated Plugin Installation
Hunk Companion Plugin 1.9.0 - Unauthenticated Plugin Installation
---
# Exploit Title: Hunk Companion Plugin 1.9.0 - Unauthenticated Plugin Installation
# Date: 16 December, 2024
# Exploit Author: Jun Takemura
# Author's GitHub: https://github.com/JunTakemura
# Author's Blog: juntakemura.dev
# Vendor Homepage: https://themehunk.com
# Software Link: https://wordpress.org/plugins/hunk-companion/
# Version: Tested on Hunk Companion 1.8.8
# CVE: CVE-2024-11972
# Vulnerability Description:
# Exploits a flaw in the Hunk Companion plugin's permission_callback for the
# /wp-json/hc/v1/themehunk-import endpoint, allowing unauthenticated attackers
# to install and activate arbitrary plugins from the WordPress.org repository.
# Tested on: Ubuntu
# Original vulnerability discovered by: Daniel Rodrig
Nuclei
Hunk Companion < 1.9.0 - Unauthenticated Plugin Installation
nuclei·CVSS 9.8
CVE-2024-11972 [CRITICAL] Hunk Companion < 1.9.0 - Unauthenticated Plugin Installation
Hunk Companion < 1.9.0 - Unauthenticated Plugin Installation
The plugin does not correctly authorize some REST API endpoints, allowing unauthenticated requests to install and activate arbitrary plugins from the WordPress.org repo, including vulnerable plugins that have been closed.
Template:
id: CVE-2024-11972
info:
name: Hunk Companion < 1.9.0 - Unauthenticated Plugin Installation
author: s4e-io
severity: critical
description: |
The plugin does not correctly authorize some REST API endpoints, allowing unauthenticated requests to install and activate arbitrary plugins from the WordPress.org repo, including vulnerable plugins that have been closed.
impact: |
Unauthenticated attackers can install and activate arbitrary WordPress plugins including vulnerable or malicious ones, leading to
Bleepingcomputer
Hackers launch mass attacks exploiting outdated WordPress plugins
blogs_bleepingcomputer·2025-10-24·CVSS 9.8
[CRITICAL] Hackers launch mass attacks exploiting outdated WordPress plugins
## Hackers launch mass attacks exploiting outdated WordPress plugins
## Bill Toulas
A widespread exploitation campaign is targeting WordPress websites with GutenKit and Hunk Companion plugins vulnerable to critical-severity, old security issues that can be used to achieve remote code execution (RCE).
WordPress security firm Wordfence says that it blocked 8.7 million attack attempts against its customers in just two days, October 8 and 9.
The campaign expoits three flaws, tracked as CVE-2024-9234, CVE-2024-9707, and CVE-2024-11972, all rated critical (CVSS 9.8).
CVE-2024-9234 is an unauthenticated REST-endpoint flaw in the GutenKit plugin with 40,000 installs that allows installing arbitrary plugins without authentication.
CVE-2024-9707 and CVE-2024-11972 are missing-authorization vul
Bleepingcomputer
Hunk Companion WordPress plugin exploited to install vulnerable plugins
blogs_bleepingcomputer·2024-12-11·CVSS 9.8
[CRITICAL] Hunk Companion WordPress plugin exploited to install vulnerable plugins
## Hunk Companion WordPress plugin exploited to install vulnerable plugins
## Bill Toulas
Hackers are exploiting a critical vulnerability in the "Hunk Companion" plugin to install and activate other plugins with exploitable flaws directly from the WordPress.org repository.
By installing outdated plugins with known vulnerabilities with available exploits, the attackers can access a large pool of flaws that lead to remote code execution (RCE), SQL injection, cross-site scripting (XSS) flaws, or create backdoor admin accounts.
The activity was discovered by WPScan, who reported it to Hunk Companion, with a security update addressing the zero-day flaw released yesterday.
## Installing vulnerable plugins
Hunk Companion is a WordPress plugin designed to complement and enhance the functiona
Greynoiseio
NoiseLetter October 2025
blogs_greynoiseio
NoiseLetter October 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2024-12-31
Published
Exploited in the wild