CVE-2024-11972
Published: 31 December 2024
Summary
CVE-2024-11972 is a critical-severity an unspecified weakness vulnerability in Themehunk Hunk Companion. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The Hunk Companion WordPress plugin before version 1.9.0 contains an authorization flaw affecting certain REST API endpoints. This allows unauthenticated requests to reach plugin installation and activation functionality that should be restricted.
An unauthenticated attacker can exploit the issue over the network to install and activate arbitrary plugins hosted on the WordPress.org repository, including plugins that have been closed for containing vulnerabilities. The flaw carries a CVSS 3.1 score of 9.8.
The single available reference is a WPScan advisory entry that documents the missing authorization checks but does not detail additional mitigations beyond upgrading. The associated EPSS score stands at 0.9188 with no indicated change from an earlier lower value.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-34370
Vulnerability details
The Hunk Companion WordPress plugin before 1.9.0 does not correctly authorize some REST API endpoints, allowing unauthenticated requests to install and activate arbitrary Hunk Companion WordPress plugin before 1.9.0 from the WordPress.org repo, including vulnerable Hunk Companion WordPress plugin before…
more
1.9.0 that have been closed.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.