Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
CriticalPublic exploit

Unauthenticated plugin installation/activation in Hunk Companion WordPress plugin

IdentifiersCVE-2024-9707CWE-862· Missing Authorization

CVE-2024-9707 is an authorization flaw in the Hunk Companion plugin for WordPress affecting versions through 1.8.4, on the /wp-json/hc/v1/themehunk-import REST API endpoint. The issue stems from a missing capability check on that endpoint, allowing unauthenticated requests to reach functionality that installs and activates plugins. Supporting reporting also describes closely related vulnerable logic in the plugin’s REST route permission handling, where the permission_callback was improperly implemented and failed open, enabling unauthorized access to the tp_install workflow in code under hunk-companion/import/app/app.php and hunk-companion/import/core/class-installation.php. Successful exploitation allows an attacker to cause the site to fetch plugin ZIP packages from the WordPress.org repository by slug and activate them without authentication. This can be used directly for unauthorized code deployment via malicious or vulnerable plugin chains, and has been observed in the wild as part of follow-on exploitation leading to remote code execution.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

An unauthenticated attacker can install and activate arbitrary plugins from the WordPress.org repository on a vulnerable site. This gives the attacker the ability to expand attack surface, introduce vulnerable or backdoored functionality, and chain into further compromise. Observed exploitation used the flaw to install WP Query Console and then exploit its separate RCE vulnerability to execute arbitrary PHP code and deploy a persistent backdoor. Depending on the plugin installed, impact can include remote code execution, full site compromise, persistent access, data theft, administrative takeover, and use of the WordPress instance as a staging point for further attacks.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict or block access to the vulnerable REST endpoint /wp-json/hc/v1/themehunk-import at the web server, WAF, or reverse proxy layer; disable or remove the Hunk Companion plugin until it can be updated; monitor for POST requests to that endpoint and for unexpected plugin installation/activation events; alert on outbound retrieval of plugin ZIPs from WordPress.org initiated by the web server; and hunt for indicators of follow-on exploitation, including requests to /?rest_route=/wqc/v1/query and unexpected PHP files in the site root. Hardening plugin installation permissions and limiting filesystem write access for the web process may reduce post-exploitation impact but do not fix the underlying flaw.

Remediation

Patch, then assume compromise.

Upgrade Hunk Companion to a fixed version. The provided content states CVE-2024-9707 affected versions up to and including 1.8.4, while related reporting indicates the broader unauthenticated plugin installation issue was confirmed patched in version 1.9.0. Given the reported continued exploitation on 1.8.7, the safest remediation based on the supplied material is to update to Hunk Companion 1.9.0 or later. In addition, review installed plugins for unauthorized additions, especially recently installed or activated plugins such as WP Query Console, remove any unapproved plugins, inspect the web root for dropped PHP files and backdoors, rotate credentials, and restore from a known-good state if compromise is confirmed.
PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.

VALID 1 / 1 TOTALView more in app
CVE-2024-9707-PocMaturityPoCVerified exploit

This repository contains a Python exploit script (CVE-2024-9707.py) and a README.md. The exploit targets the WordPress Hunk Companion plugin (versions 1.8.4 and below), specifically abusing the /wp-json/hc/v1/themehunk-import REST API endpoint, which lacks proper authorization checks. The script first checks the plugin version by fetching /wp-content/plugins/hunk-companion/readme.txt, then, if the version is vulnerable, sends a crafted POST request to the REST API endpoint to install and activate an arbitrary plugin (default: wp-file-manager). The exploit is operational, providing a working payload and clear usage instructions. The README.md offers detailed guidance, prerequisites, and example usage. No hardcoded credentials or IPs are present; the script is parameterized for target URL and plugin name. The main attack vector is network-based, exploiting an unauthenticated API endpoint on the target WordPress site.

NxploitedDisclosed Jan 12, 2025pythonnetwork
EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
ThemehunkHunk Companionapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app
scworldNews
Oct 30, 2025
Cybersecurity Is Dead – PSW #898

A critical vulnerability in the Hunk Companion WordPress plugin allowing unauthorized plugin installation/activation via missing capability checks.

Read more
the hacker newsNews
Oct 27, 2025
⚡ Weekly Recap: WSUS Exploited, LockBit 5.0 Returns, Telegram Backdoor, F5 Breach Widens

WordPress plugin vulnerability (GutenKit/Hunk Companion context) used in mass exploitation to enable unauthenticated plugin installation/activation leading to potential remote code execution.

Read more
wpscan blogNews
Dec 10, 2024
Unauthorized Plugin Installation/Activation in Hunk Companion | WPScan

A previously documented Hunk Companion unauthenticated plugin installation/activation vulnerability that was reportedly fixed in 1.8.5+, but the report states the issue persisted in later versions and was ultimately addressed in 1.9.0.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware1

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity4

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2024-9707
NVD
nvd.nist.gov/vuln/detail/CVE-2024-9707
MITRE CWE · CWE-862
Missing Authorization
Patch
plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3166501%40hunk-companion&new=3166501%40hunk-companion&sfp_email=&sfph_mail=
Third Party Advisory
wordfence.com/threat-intel/vulnerabilities/id/9c101fca-037c-4bed-9dc7-baa021a8b59c?source=cve
Product
github.com/WordPressBugBounty/plugins-hunk-companion/blob/5a3cedc7b3d35d407b210e691c53c6cb400e4051/hunk-companion/import/app/app.php
Product
wordpress.org/plugins/hunk-companion