CVE-2024-11972

The Hunk Companion WordPress plugin before 1.9.0 does not correctly authorize some REST API endpoints, allowing unauthenticated requests to install and activate arbitrary Hunk Companion WordPress plugin before 1.9.0 from the WordPress.org repo, including vulnerable Hunk Companion WordPress plugin...

Hunk Companion Plugin 1.9.0 - Unauthenticated Plugin Installation

Exploit Title: Hunk Companion Plugin 1.9.0 - Unauthenticated Plugin Installation Date: 16 December, 2024 Exploit Author: Jun Takemura Author's GitHub: https://github.com/JunTakemura Author's Blog: juntakemura.dev Vendor Homepage: https://themehunk.com Software Link:...

CVE-2024-9707

The Hunk Companion plugin for WordPress is vulnerable to unauthorized plugin installation/activation due to a missing capability check on the /wp-json/hc/v1/themehunk-import REST API endpoint in all versions up to, and including, 1.8.4. This makes it possible for unauthenticated attackers to...

CVE-2024-11972

The Hunk Companion WordPress plugin before 1.9.0 does not correctly authorize some REST API endpoints, allowing unauthenticated requests to install and activate arbitrary Hunk Companion WordPress plugin before 1.9.0 from the WordPress.org repo, including vulnerable Hunk Companion WordPress plugin...

CVE-2024-11972

The Hunk Companion WordPress plugin before 1.9.0 does not correctly authorize some REST API endpoints, allowing unauthenticated requests to install and activate arbitrary Hunk Companion WordPress plugin before 1.9.0 from the WordPress.org repo, including vulnerable Hunk Companion WordPress plugin...

Hunk Companion Plugin for WordPress < 1.9.0 Arbitrary Plugin Installation

The WordPress Hunk Companion Plugin installed on the remote host is affected by an improper access control vulnerability allowing a remote and unauthenticated attacker to install any plugin on the affected WordPress instance. Note that the scanner has not tester for these issues but has instead...

Exploit for CVE-2024-11972

-- Hunk Companion Plugin A PoC exploit for CVE-2024-1...

WordPress Hunk Companion Plugin Flaw Exploited to Silently Install Vulnerable Plugins

Malicious actors are exploiting a critical vulnerability in the Hunk Companion plugin for WordPress to install other vulnerable plugins that could open the door to a variety of attacks. The flaw, tracked as CVE-2024-11972 CVSS score: 9.8, affects all versions of the plugin prior to 1.9.0. The...

VulnCheck KEV: CVE-2024-9707

The Hunk Companion plugin for WordPress is vulnerable to unauthorized plugin installation/activation due to a missing capability check on the /wp-json/hc/v1/themehunk-import REST API endpoint in all versions up to, and including, 1.8.4. This makes it possible for unauthenticated attackers to...

PT-2024-39774

Name of the Vulnerable Software and Affected Versions Hunk Companion plugin for WordPress versions prior to 1.9.0 WP Query Console versions affected versions not specified Description The Hunk Companion plugin for WordPress has a flaw allowing unauthorized plugin installation and activation. This...