2 matches found
CVE-2024-11972
CVE-2024-11972 affects the Hunk Companion WordPress plugin prior to 1.9.0. The flaw is improper authorization of REST API endpoints (notably the /wp-json/hc/v1/themehunk-import endpoint), allowing unauthenticated requests to install and activate arbitrary plugins from the WordPress.org repo, incl...
CVE-2024-9707
CVE-2024-9707 covers the Hunk Companion WordPress plugin (v1.8.4 and earlier). Multiple sources confirm a missing capability check on the REST endpoint /wp-json/hc/v1/themehunk-import, allowing unauthenticated attackers to install/activate arbitrary plugins and potentially trigger remote code exe...