Hunk Companion < 1.8.5 – Missing Authorization to Unauthenticated Arbitrary Plugin Installation/Activation | CVE 2024-9707 | Plugin Vulnerabilities

Description

The Hunk Companion plugin for WordPress is vulnerable to unauthorized plugin installation/activation due to a missing capability check on the /wp-json/hc/v1/themehunk-import REST API endpoint in all versions up to, and including, 1.8.4. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated.

Affects Plugins

Fixed in 1.8.5

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/9c101fca-037c-4bed-9dc7-baa021a8b59c

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Sean Murphy

Verified

No

WPVDB ID

13079c3a-e9f5-48b3-ad8f-398480ea2f9d

Timeline

Publicly Published

2024-10-10 (about 1 year ago)

Added

2024-10-10 (about 1 year ago)

Last Updated

2024-10-11 (about 1 year ago)

Other

Published

Title

Published

2024-12-14

Title

Ksher < 1.1.2 - Missing Authorization

Published

2026-01-13

Title

Responsive Accordion Slider <= 1.2.2 - Missing Authorization to Authenticated (Contributor+) Slider Update via 'resp_accordion_silder_save_images'

Published

2023-10-16

Title

Broken Link Checker | Finder < 2.5.0 - Missing Authorization via moblc_auth_save_settings

Published

2024-12-15

Title

Poll Maker < 5.5.1 - Missing Authorization

Published

2024-03-28

Title

weForms < 1.6.21 - Missing Authorization