← back
CVE-2024-11972

Hunk Companion < 1.9.0 - Unauthenticated Plugin Installation

CVSS 9.8 CRITICALEPSS 54.8%
The Hunk Companion WordPress plugin before 1.9.0 does not correctly authorize some REST API endpoints, allowing unauthenticated requests to install and activate arbitrary Hunk Companion WordPress plugin before 1.9.0 from the WordPress.org repo, including vulnerable Hunk Companion WordPress plugin before 1.9.0 that have been closed.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
Unknown · Hunk Companion
public PoCs found4
githubgithub.com/RonF98/CVE-2024-11972-POC1githubgithub.com/Nxploited/CVE-2024-11972-PoC0cve_referencewpscan.com/vulnerability/4963560b-e4ae-451d-8f94-482779c415e4/unverifiedexploitdbwww.exploit-db.com/exploits/52259unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://wpscan.com/vulnerability/4963560b-e4ae-451d-8f94-482779c415e4/