CVE-2024-9707
published 2024-10-11CVE-2024-9707: The Hunk Companion plugin for WordPress is vulnerable to unauthorized plugin installation/activation due to a missing capability check on the…
PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
9.14%
94.7th percentile
The Hunk Companion plugin for WordPress is vulnerable to unauthorized plugin installation/activation due to a missing capability check on the /wp-json/hc/v1/themehunk-import REST API endpoint in all versions up to, and including, 1.8.4. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| themehunk | hunk_companion | < 1.8.5 | 1.8.5 |
| themehunk | hunk_companion | <= 1.8.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandPOST /wp-json/hc/v1/themehunk-import HTTP/1.1
- →Monitor web server access logs for unauthenticated POST requests to the /wp-json/hc/v1/themehunk-import REST API endpoint, which is the attack vector for CVE-2024-9707. ↗
- →Check for the presence of rogue directories /up, /background-image-cropper, /ultra-seo-processor-wp, /oke, and /wp-query-console under the WordPress root, which indicate post-exploitation activity. ↗
- →Identify malicious plugin ZIP archive named 'up' hosted on GitHub; the archive contains obfuscated scripts for file upload/download/delete, permission changes, and a password-protected auto-login backdoor disguised as an All in One SEO plugin component. ↗
- →Use the FOFA query body="/wp-content/plugins/hunk-companion/" to identify internet-exposed WordPress instances running the Hunk Companion plugin for proactive scanning.
- ·CVE-2024-9707 affects Hunk Companion versions up to and including 1.8.4; a patch was released in 1.8.5, but it was insufficient and bypassable, leading to CVE-2024-11972 which affects up to 1.8.5. The fully fixed version is 1.9.0. ↗
- ·The exploit payload targets the 'wp-file-manager' plugin slug via the themehunk-import endpoint; detection rules should account for arbitrary plugin slugs being passed in the 'plugin' and 'allPlugins' JSON fields, not just wp-file-manager.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8cm3-4qfx-pwvc: The Hunk Companion plugin for WordPress is vulnerable to unauthorized plugin installation/activation due to a missing capability check on the /wp-json
ghsa_unreviewed·2024-10-11
CVE-2024-9707 [CRITICAL] CWE-862 GHSA-8cm3-4qfx-pwvc: The Hunk Companion plugin for WordPress is vulnerable to unauthorized plugin installation/activation due to a missing capability check on the /wp-json
The Hunk Companion plugin for WordPress is vulnerable to unauthorized plugin installation/activation due to a missing capability check on the /wp-json/hc/v1/themehunk-import REST API endpoint in all versions up to, and including, 1.8.4. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated.
GHSA
Apache Inlong Deserialization of Untrusted Data vulnerability
ghsa·2024-05-08
CVE-2024-26579 [CRITICAL] CWE-502 Apache Inlong Deserialization of Untrusted Data vulnerability
Apache Inlong Deserialization of Untrusted Data vulnerability
Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: from 1.7.0 through 1.11.0. The attackers can bypass using malicious parameters.
Users are advised to upgrade to Apache InLong's 1.12.0 or cherry-pick [1], [2] to solve it.
[1] https://github.com/apache/inlong/pull/9694
[2] https://github.com/apache/inlong/pull/9707
VulnCheck
Hunk Companion Plugin for WordPress /wp-json/hc/v1/themehunk-import REST API Vulnerability
vulncheck·2024·CVSS 9.8
CVE-2024-9707 [CRITICAL] Hunk Companion Plugin for WordPress /wp-json/hc/v1/themehunk-import REST API Vulnerability
Hunk Companion Plugin for WordPress /wp-json/hc/v1/themehunk-import REST API Vulnerability
The Hunk Companion plugin for WordPress is vulnerable to unauthorized plugin installation/activation due to a missing capability check on the /wp-json/hc/v1/themehunk-import REST API endpoint in all versions up to, and including, 1.8.4. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated.
Affected: ThemeHunk Hunk Companion Plugin
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.wordfence.com/threat-inte
No detection rules found.
Nuclei
Hunk Companion <= 1.8.4 - Arbitrary Plugin Installation
nuclei·CVSS 9.8
CVE-2024-9707 [CRITICAL] Hunk Companion <= 1.8.4 - Arbitrary Plugin Installation
Hunk Companion <= 1.8.4 - Arbitrary Plugin Installation
The Hunk Companion plugin for WordPress is vulnerable to unauthorized plugin installation/activation due to a missing capability check on the /wp-json/hc/v1/themehunk-import REST API endpoint in all versions up to, and including, 1.8.4. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated.
Template:
id: CVE-2024-9707
info:
name: Hunk Companion <= 1.8.4 - Arbitrary Plugin Installation
author: DhiyaneshDK
severity: critical
description: |
The Hunk Companion plugin for WordPress is vulnerable to unauthorized plugin installation/activation due to a missing capability check on the /wp
Bleepingcomputer
Hackers launch mass attacks exploiting outdated WordPress plugins
blogs_bleepingcomputer·2025-10-24·CVSS 9.8
[CRITICAL] Hackers launch mass attacks exploiting outdated WordPress plugins
## Hackers launch mass attacks exploiting outdated WordPress plugins
## Bill Toulas
A widespread exploitation campaign is targeting WordPress websites with GutenKit and Hunk Companion plugins vulnerable to critical-severity, old security issues that can be used to achieve remote code execution (RCE).
WordPress security firm Wordfence says that it blocked 8.7 million attack attempts against its customers in just two days, October 8 and 9.
The campaign expoits three flaws, tracked as CVE-2024-9234, CVE-2024-9707, and CVE-2024-11972, all rated critical (CVSS 9.8).
CVE-2024-9234 is an unauthenticated REST-endpoint flaw in the GutenKit plugin with 40,000 installs that allows installing arbitrary plugins without authentication.
CVE-2024-9707 and CVE-2024-11972 are missing-authorization vul
Bleepingcomputer
Hunk Companion WordPress plugin exploited to install vulnerable plugins
blogs_bleepingcomputer·2024-12-11·CVSS 9.8
[CRITICAL] Hunk Companion WordPress plugin exploited to install vulnerable plugins
## Hunk Companion WordPress plugin exploited to install vulnerable plugins
## Bill Toulas
Hackers are exploiting a critical vulnerability in the "Hunk Companion" plugin to install and activate other plugins with exploitable flaws directly from the WordPress.org repository.
By installing outdated plugins with known vulnerabilities with available exploits, the attackers can access a large pool of flaws that lead to remote code execution (RCE), SQL injection, cross-site scripting (XSS) flaws, or create backdoor admin accounts.
The activity was discovered by WPScan, who reported it to Hunk Companion, with a security update addressing the zero-day flaw released yesterday.
## Installing vulnerable plugins
Hunk Companion is a WordPress plugin designed to complement and enhance the functiona
https://github.com/WordPressBugBounty/plugins-hunk-companion/blob/5a3cedc7b3d35d407b210e691c53c6cb400e4051/hunk-companion/import/app/app.php#L46https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3166501%40hunk-companion&new=3166501%40hunk-companion&sfp_email=&sfph_mail=https://wordpress.org/plugins/hunk-companion/https://www.wordfence.com/threat-intel/vulnerabilities/id/9c101fca-037c-4bed-9dc7-baa021a8b59c?source=cve
2024-10-11
Published
Exploited in the wild