cbcvebase.
CVE-2024-9707
published 2024-10-11

CVE-2024-9707: The Hunk Companion plugin for WordPress is vulnerable to unauthorized plugin installation/activation due to a missing capability check on the…

PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
9.14%
94.7th percentile
The Hunk Companion plugin for WordPress is vulnerable to unauthorized plugin installation/activation due to a missing capability check on the /wp-json/hc/v1/themehunk-import REST API endpoint in all versions up to, and including, 1.8.4. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated.

Affected

2 ranges
VendorProductVersion rangeFixed in
themehunkhunk_companion< 1.8.51.8.5
themehunkhunk_companion<= 1.8.4

Detection & IOCsextracted from sources · hover to see the quote

url/wp-json/hc/v1/themehunk-import
path/up
path/background-image-cropper
path/ultra-seo-processor-wp
path/oke
path/wp-query-console
filenameup.zip
commandPOST /wp-json/hc/v1/themehunk-import HTTP/1.1
  • Monitor web server access logs for unauthenticated POST requests to the /wp-json/hc/v1/themehunk-import REST API endpoint, which is the attack vector for CVE-2024-9707.
  • Check for the presence of rogue directories /up, /background-image-cropper, /ultra-seo-processor-wp, /oke, and /wp-query-console under the WordPress root, which indicate post-exploitation activity.
  • Identify malicious plugin ZIP archive named 'up' hosted on GitHub; the archive contains obfuscated scripts for file upload/download/delete, permission changes, and a password-protected auto-login backdoor disguised as an All in One SEO plugin component.
  • Use the FOFA query body="/wp-content/plugins/hunk-companion/" to identify internet-exposed WordPress instances running the Hunk Companion plugin for proactive scanning.
  • ·CVE-2024-9707 affects Hunk Companion versions up to and including 1.8.4; a patch was released in 1.8.5, but it was insufficient and bypassable, leading to CVE-2024-11972 which affects up to 1.8.5. The fully fixed version is 1.9.0.
  • ·The exploit payload targets the 'wp-file-manager' plugin slug via the themehunk-import endpoint; detection rules should account for arbitrary plugin slugs being passed in the 'plugin' and 'allPlugins' JSON fields, not just wp-file-manager.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.