Login Sign Up

CVE-2024-11972

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

The Hunk Companion WordPress plugin before version 1.9.0 has an authorization flaw in its REST API endpoints. This allows unauthenticated attackers to install and activate arbitrary plugins from the WordPress.org repository, including potentially malicious or vulnerable ones. All WordPress sites running affected plugin versions are at risk.

💻 Affected Systems

Products:
  • Hunk Companion WordPress plugin
Versions: All versions before 1.9.0
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress installation with the vulnerable plugin active. No special configuration needed.

📦 What is this software?

Hunk Companion by Themehunk

View all CVEs affecting Hunk Companion →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site takeover via installation of malicious plugins that provide backdoors, remote code execution, or data exfiltration capabilities.

🟠

Likely Case

Attackers install vulnerable or malicious plugins to establish persistence, escalate privileges, or deploy malware.

🟢

If Mitigated

Limited impact if proper network segmentation and web application firewalls block unauthorized plugin installations.

🌐 Internet-Facing: HIGH - WordPress sites are typically internet-facing and the exploit requires no authentication.
🏢 Internal Only: MEDIUM - Internal WordPress sites could still be compromised if accessible to internal attackers.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple HTTP requests to vulnerable REST endpoints can trigger the vulnerability. Public proof-of-concept exists in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.9.0

Vendor Advisory: https://wpscan.com/vulnerability/4963560b-e4ae-451d-8f94-482779c415e4/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Hunk Companion plugin. 4. Click 'Update Now' if update available. 5. If no update shows, manually download version 1.9.0+ from WordPress.org and replace plugin files.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily deactivate the Hunk Companion plugin until patched

wp plugin deactivate hunk-companion

Restrict REST API access

linux

Block unauthenticated access to WordPress REST API endpoints

Add to .htaccess: <IfModule mod_rewrite.c> RewriteCond %{REQUEST_URI} ^/wp-json/ [NC] RewriteCond %{HTTP_COOKIE} !wordpress_logged_in [NC] RewriteRule .* - [R=403,L] </IfModule>

🧯 If You Can't Patch

  • Remove the Hunk Companion plugin completely from the WordPress installation
  • Implement a web application firewall (WAF) rule to block requests to the vulnerable REST endpoints

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Hunk Companion version. If version is below 1.9.0, you are vulnerable.

Check Version:

wp plugin get hunk-companion --field=version

Verify Fix Applied:

Confirm Hunk Companion plugin version is 1.9.0 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • Unusual plugin installation/activation events in WordPress logs
  • REST API requests to /wp-json/hunk-companion/ endpoints from unauthenticated users

Network Indicators:

  • HTTP POST requests to plugin installation endpoints without authentication headers
  • Traffic to WordPress.org plugin repository from unexpected sources

SIEM Query:

source="wordpress.log" AND ("plugin installed" OR "plugin activated") AND user="unauthenticated"

📊 Metadata

CVE ID: CVE-2024-11972
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: December 31, 2024
Last Updated: May 17, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON