CVE-2024-9707
Missing Authorization (CWE-862)
Published: Oct 11, 2024 / Updated: 39d ago

010

CVSS 9.8EPSS 0.06%Critical

CVE info copied to clipboard

Summary

The Hunk Companion plugin for WordPress is vulnerable to unauthorized plugin installation/activation due to a missing capability check on the /wp-json/hc/v1/themehunk-import REST API endpoint in all versions up to, and including, 1.8.4. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins.

Impact

This vulnerability can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated. The impact is severe, with potential for high confidentiality, integrity, and availability breaches. Unauthenticated attackers can exploit this vulnerability over the network without user interaction, potentially leading to full system compromise.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is not explicitly mentioned in the provided information. However, given that the vulnerability affects "all versions up to, and including, 1.8.4" of the Hunk Companion plugin, it's likely that a patched version higher than 1.8.4 may be available or forthcoming.

Mitigation

1. Immediately update the Hunk Companion plugin to a version higher than 1.8.4 if available. 2. If an update is not available, consider disabling or removing the Hunk Companion plugin until a patch is released. 3. Implement strong access controls and monitor for unauthorized plugin installations or activations. 4. Regularly audit and update all WordPress plugins to minimize the risk of having other vulnerable plugins that could be exploited in conjunction with this vulnerability. 5. Consider implementing web application firewall (WAF) rules to block potentially malicious requests to the vulnerable endpoint (/wp-json/hc/v1/themehunk-import).

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9707. See article

Oct 11, 2024 at 6:58 AM / Vulners.com RSS Feed

CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 11, 2024 at 6:58 AM

CVE Assignment

NVD published the first details for CVE-2024-9707

Oct 11, 2024 at 1:15 PM

CVSS

A CVSS base score of 9.8 has been assigned.

Oct 11, 2024 at 1:20 PM / nvd

Threat Intelligence Report

CVE-2024-9707 is a critical vulnerability in the Hunk Companion plugin for WordPress, with a CVSS score of 9.8, allowing unauthorized installation and activation of plugins due to a missing capability check on the REST API endpoint. Currently, there is no evidence of exploitation in the wild or public proof-of-concept exploits, but the potential for severe impacts, including remote code execution, exists if other vulnerable plugins are present. Mitigations include updating the plugin to a version higher than 1.8.4, disabling it if no update is available, and implementing strong access controls and monitoring. See article

Oct 12, 2024 at 2:31 AM

EPSS

EPSS Score was set to: 0.06% (Percentile: 27.9%)

Oct 12, 2024 at 10:55 AM

Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (152312)

Oct 16, 2024 at 7:53 AM