Detections
Analytics

CVE-2024-11972

critical

Description

The Hunk Companion WordPress plugin before 1.9.0 does not correctly authorize some REST API endpoints, allowing unauthenticated requests to install and activate arbitrary Hunk Companion WordPress plugin before 1.9.0 from the WordPress.org repo, including vulnerable Hunk Companion WordPress plugin before 1.9.0 that have been closed.

References

https://www.bleepingcomputer.com/news/security/hunk-companion-wordpress-plugin-exploited-to-install-vulnerable-plugins/

https://wpscan.com/blog/unauthorized-plugin-installation-activation-in-hunk-companion/

https://wpscan.com/vulnerability/4963560b-e4ae-451d-8f94-482779c415e4/

Details

Source: Mitre, NVD

Published: 2024-12-31

Updated: 2024-12-31

Risk Information

CVSS v2

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical