CVE-2024-11972: Hunk Companion < 1.9.0 - Unauthenticated Plugin Installation

Description

The Hunk Companion WordPress plugin before 1.9.0 does not correctly authorize some REST API endpoints, allowing unauthenticated requests to install and activate arbitrary Hunk Companion WordPress plugin before 1.9.0 from the WordPress.org repo, including vulnerable Hunk Companion WordPress plugin before 1.9.0 that have been closed.

Classification

CVE ID: CVE-2024-11972

Affected Products

Vendor: Unknown

Product: Hunk Companion

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.48% (scored less or equal to compared to others)

EPSS Date: 2025-02-04 (when was this score calculated)

References

https://wpscan.com/vulnerability/4963560b-e4ae-451d-8f94-482779c415e4/

Timeline

2024-12-12 10:15:18 UTC
TheHackerNews

WordPress Hunk Companion Plugin Flaw Exploited to Silently Install Vulnerable Plugins
2025-01-01 00:30:17 UTC
CVE

Hunk Companion < 1.9.0 - Unauthenticated Plugin Installation