Unauthenticated Plugin Installation and Activation in Hunk Companion WordPress Plugin
CVE-2024-11972 is an authorization bypass vulnerability in the Hunk Companion WordPress plugin affecting versions prior to 1.9.0. The flaw is in the REST API route exposed at /wp-json/hc/v1/themehunk-import, implemented in code referenced as hunk-companion/import/app/app.php and hunk-companion/import/core/class-installation.php. The route’s permission_callback was intended to restrict access, but it returned WP_REST_Response objects on failed authorization checks instead of returning false or a WP_Error. Because WordPress expects a boolean or WP_Error from permission_callback, the callback effectively failed open and unauthorized requests were treated as allowed. As a result, an unauthenticated attacker could send POST requests to invoke the tp_install function and trigger the HUNK_COMPANION_SITES_BUILDER_SETUP logic to install and activate arbitrary plugins from the WordPress.org repository by slug. The issue was observed in active exploitation, including abuse to install the closed WP Query Console plugin and then chain into its separate RCE vulnerability, CVE-2024-50498, to execute arbitrary PHP code and deploy a persistent backdoor.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
3 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).
This repository contains a proof-of-concept (PoC) exploit for CVE-2024-11972, targeting the Hunk Companion WordPress plugin (versions below 1.9.0). The exploit is implemented in a single Python script, 'hunk_companion_exploit.py', which automates the process of exploiting an authentication bypass in the plugin's REST API endpoint '/wp-json/hc/v1/themehunk-import'. By sending a specially crafted POST request, an unauthenticated attacker can install and activate any plugin from the official WordPress plugin repository on the target site. The script requires the attacker to specify the target WordPress site's URL and the desired plugin's slug. The repository also includes a README.md with detailed usage instructions and a LICENSE file. No hardcoded IPs or domains are present; the endpoint is relative and must be combined with the attacker's chosen target URL. The exploit is a functional PoC and does not include advanced payloads or post-exploitation features.
This repository contains a Python proof-of-concept exploit (CVE-2024-11972.py) targeting the Hunk Companion WordPress plugin versions less than 1.9.0. The exploit leverages an unauthenticated REST API endpoint (/wp-json/hc/v1/themehunk-import) to install and activate arbitrary plugins from the WordPress.org repository on a vulnerable WordPress site. The script first checks the installed plugin version by fetching /wp-content/plugins/hunk-companion/readme.txt, then, if the version is vulnerable, sends a crafted POST request to the REST API endpoint to trigger the plugin installation. The repository also includes a README.md with usage instructions and a description of the vulnerability. The exploit is a network-based, unauthenticated attack and does not require prior access to the target site.
This repository contains a Python exploit (exploit.py) and a detailed README for CVE-2024-11972, a critical unauthenticated plugin installation vulnerability in the Hunk Companion WordPress plugin (versions < 1.9.0). The exploit works by sending a crafted POST request to the '/wp-json/hc/v1/themehunk-import' REST API endpoint, which, due to improper authorization checks in vulnerable versions, allows any user to install and activate arbitrary plugins from the WordPress.org repository. The exploit script first checks the installed version of the Hunk Companion plugin by fetching its readme.txt, then attempts exploitation if the version is vulnerable. The README provides a thorough breakdown of the vulnerability, including code snippets from the plugin's source and a comparison of security fixes across versions. The main attack vector is network-based, targeting the exposed REST API endpoint. The exploit enables attackers to install further malicious or vulnerable plugins, potentially leading to remote code execution, database compromise, or persistent backdoors. The repository is well-structured, with a single exploit script and comprehensive documentation.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A critical WordPress Hunk Companion plugin vulnerability exploited to silently install other vulnerable plugins.
A critical vulnerability in the Hunk Companion WordPress plugin allowing unauthorized plugin installation/activation via missing capability checks.
WordPress plugin vulnerability (GutenKit/Hunk Companion context) used in mass exploitation to enable unauthenticated plugin installation/activation leading to potential remote code execution.
An authorization bypass/unauthenticated access issue in the WordPress Hunk Companion plugin (versions < 1.9.0) where the REST endpoint /wp-json/hc/v1/themehunk-import can be invoked without authentication to trigger plugin installation workflow behavior.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.