Cyber Resilience

CVE-2024-11972

CriticalPublic PoC

Published: 31 December 2024

Published
31 December 2024
Modified
17 May 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9188 99.7th percentile
Risk Priority 75 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-11972 is a critical-severity an unspecified weakness vulnerability in Themehunk Hunk Companion. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The Hunk Companion WordPress plugin before version 1.9.0 contains an authorization flaw affecting certain REST API endpoints. This allows unauthenticated requests to reach plugin installation and activation functionality that should be restricted.

An unauthenticated attacker can exploit the issue over the network to install and activate arbitrary plugins hosted on the WordPress.org repository, including plugins that have been closed for containing vulnerabilities. The flaw carries a CVSS 3.1 score of 9.8.

The single available reference is a WPScan advisory entry that documents the missing authorization checks but does not detail additional mitigations beyond upgrading. The associated EPSS score stands at 0.9188 with no indicated change from an earlier lower value.

EU & UK References

Vulnerability details

The Hunk Companion WordPress plugin before 1.9.0 does not correctly authorize some REST API endpoints, allowing unauthenticated requests to install and activate arbitrary Hunk Companion WordPress plugin before 1.9.0 from the WordPress.org repo, including vulnerable Hunk Companion WordPress plugin before…

more

1.9.0 that have been closed.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

themehunk
hunk companion
≤ 1.9.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References