CVE-2024-9707

Summary

CVE-2024-9707 identifies a critical vulnerability in the Hunk Companion plugin for WordPress, specifically affecting all versions up to and including 1.8.4, which lacks proper capability checks on the /wp-json/hc/v1/themehunk-import REST API endpoint. This flaw allows unauthenticated attackers to install and activate arbitrary plugins, potentially leading to remote code execution if other vulnerable plugins are present. The vulnerability has an exploitability score of 3.9 and a CVSS base score of 9.8, indicating high integrity and confidentiality impacts with low attack complexity and no user interaction required. Organizations using affected products are advised to update the Hunk Companion plugin to the latest version to remediate this issue. Failure to address this vulnerability could result in significant security breaches within affected WordPress installations.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.