CVE-2024-9707 – The Hunk Companion WordPress plugin has an unau... (How to Fix)

Q: What is the severity of CVE-2024-9707?

CVE-2024-9707 has a CVSS score of 9.8 (CRITICAL). The Hunk Companion WordPress plugin has an unauthenticated REST API vulnerability that allows attackers to install and activate arbitrary plugins. This can lead to remote code execution if another vulnerable plugin is available. All WordPress sites using Hunk Companion version 1.8.4 or earlier are affected.

📋 TL;DR

The Hunk Companion WordPress plugin has an unauthenticated REST API vulnerability that allows attackers to install and activate arbitrary plugins. This can lead to remote code execution if another vulnerable plugin is available. All WordPress sites using Hunk Companion version 1.8.4 or earlier are affected.

💻 Affected Systems

Products:

WordPress Hunk Companion plugin

Versions: All versions up to and including 1.8.4

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress REST API to be enabled (default). No special configuration needed.

📦 What is this software?

Hunk Companion by Themehunk

View all CVEs affecting Hunk Companion →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete site compromise, data theft, malware distribution, or site defacement.

🟠

Likely Case

Attackers install malicious plugins to gain persistent access, create backdoors, or deploy cryptocurrency miners.

🟢

If Mitigated

Attackers can still install plugins but cannot achieve RCE without additional vulnerable plugins.

🌐 Internet-Facing: HIGH - Unauthenticated exploit against internet-facing WordPress sites.

🏢 Internal Only: MEDIUM - Lower risk if only accessible internally, but still exploitable by internal threats.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP POST request to vulnerable endpoint. Public exploit code available in references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.8.5

Vendor Advisory: https://wordpress.org/plugins/hunk-companion/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find Hunk Companion. 4. Click 'Update Now' if available. 5. If no update appears, manually download version 1.8.5+ from WordPress.org and replace plugin files.

🔧 Temporary Workarounds

Disable Hunk Companion plugin

all

Temporarily deactivate the vulnerable plugin until patched.

wp plugin deactivate hunk-companion

Block vulnerable REST endpoint

linux

Add .htaccess rule to block access to the vulnerable API endpoint.

RewriteEngine On
RewriteRule ^wp-json/hc/v1/themehunk-import - [F,L]

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block requests to /wp-json/hc/v1/themehunk-import
Restrict WordPress REST API access to authenticated users only using security plugins

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Hunk Companion version. If version ≤1.8.4, vulnerable.

Check Version:

wp plugin get hunk-companion --field=version

Verify Fix Applied:

Verify Hunk Companion version is 1.8.5 or higher in WordPress admin.

📡 Detection & Monitoring

Log Indicators:

POST requests to /wp-json/hc/v1/themehunk-import from unauthenticated users
Sudden plugin installations in WordPress logs

Network Indicators:

HTTP POST to /wp-json/hc/v1/themehunk-import with plugin installation payloads

SIEM Query:

source="wordpress.log" AND (uri="/wp-json/hc/v1/themehunk-import" OR message="*plugin installed*")

📊 Metadata

CVE ID: CVE-2024-9707

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-862

Published: October 11, 2024

Last Updated: November 25, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-9707, you might also want to check these: