Critical severity9.8NVD Advisory· Published Oct 11, 2024· Updated Jun 17, 2026
CVE-2024-9707
CVE-2024-9707
Description
The Hunk Companion plugin for WordPress is vulnerable to unauthorized plugin installation/activation due to a missing capability check on the /wp-json/hc/v1/themehunk-import REST API endpoint in all versions up to, and including, 1.8.4. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <=1.8.4
- themehunk/Hunk Companionv5Range: 0
Patches
Vulnerability mechanics
References
4- plugins.trac.wordpress.org/changesetnvdPatch
- www.wordfence.com/threat-intel/vulnerabilities/id/9c101fca-037c-4bed-9dc7-baa021a8b59cnvdThird Party Advisory
- github.com/WordPressBugBounty/plugins-hunk-companion/blob/5a3cedc7b3d35d407b210e691c53c6cb400e4051/hunk-companion/import/app/app.phpnvdProduct
- wordpress.org/plugins/hunk-companion/nvdProduct
News mentions
0No linked articles in our index yet.