CVE-2024-11972

CRITICAL EXPLOITED NUCLEI

Hunk Companion WP <1.9.0 - Auth Bypass

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2024-11972 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 6 public exploits from researchers including Jun Takemura, NoxPenguin, RonF98. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit leverages an unauthenticated permission_callback flaw in the Hunk Companion plugin's REST API endpoint to install and activate arbitrary plugins from the WordPress.org repository. It sends a crafted JSON payload to the /wp-json/hc/v1/themehunk-import endpoint, bypassing authentication.

Description

The Hunk Companion WordPress plugin before 1.9.0 does not correctly authorize some REST API endpoints, allowing unauthenticated requests to install and activate arbitrary Hunk Companion WordPress plugin before 1.9.0 from the WordPress.org repo, including vulnerable Hunk Companion WordPress plugin before 1.9.0 that have been closed.

Exploits (6)

exploitdb WORKING POC
by Jun Takemura · pythonwebappsmultiple
https://www.exploit-db.com/exploits/52259

This exploit leverages an unauthenticated permission_callback flaw in the Hunk Companion plugin's REST API endpoint to install and activate arbitrary plugins from the WordPress.org repository. It sends a crafted JSON payload to the /wp-json/hc/v1/themehunk-import endpoint, bypassing authentication.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Hunk Companion Plugin 1.8.8 (tested), likely affects 1.9.0
No auth needed
Prerequisites: Target WordPress site with vulnerable Hunk Companion plugin installed · Network access to the target site
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by NoxPenguin · poc
https://github.com/NoxPenguin/exploit-CVE-2024-11972

This repository contains a functional Python exploit for CVE-2024-11972, targeting the Hunk Companion WordPress plugin. The exploit leverages an unauthenticated REST API endpoint to install and activate arbitrary plugins from the WordPress repository.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Hunk Companion WordPress plugin < 1.9.0
No auth needed
Prerequisites: Python 3 · requests library · Target WordPress site with vulnerable Hunk Companion plugin
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 1 stars
by RonF98 · remote
https://github.com/RonF98/CVE-2024-11972-POC

This repository contains a functional Python exploit for CVE-2024-11972, which targets an unauthenticated REST API endpoint in the Hunk Companion WordPress plugin (<1.9.0). The exploit allows arbitrary plugin installation from the WordPress.org repository, potentially leading to RCE via vulnerable plugins like WP Query Console.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Hunk Companion WordPress plugin < 1.9.0
No auth needed
Prerequisites: Target WordPress site with Hunk Companion < 1.9.0 installed · Network access to the target site
devstral-2 · analyzed Feb 18, 2026 Full analysis →
github WORKING POC
by Boshe99 · pythonpoc
https://github.com/Boshe99/CVE-Exploits/tree/main/CVE-2024-11972-PoC

The repository contains functional exploit code for CVE-2024-11972, targeting arbitrary file upload vulnerabilities in WordPress plugins (3DPrint Lite and WPvivid). The exploits demonstrate file upload and potential RCE via crafted requests.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress Plugin 3DPrint Lite 1.9.1.4, WPvivid Plugin up to 0.9.35
Auth required
Prerequisites: valid WordPress credentials · target URL · malicious file (e.g., shell.php or ZIP)
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC
by Nxploited · remote
https://github.com/Nxploited/CVE-2024-11972-PoC

This repository contains a functional exploit PoC for CVE-2024-11972, which targets an unauthenticated plugin installation vulnerability in the Hunk Companion WordPress plugin before version 1.9.0. The script checks the plugin version via readme.txt and exploits the vulnerable REST API endpoint to install arbitrary plugins.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Hunk Companion WordPress plugin < 1.9.0
No auth needed
Prerequisites: Target must have the Hunk Companion plugin installed and be running a vulnerable version (< 1.9.0) · Target must have the REST API endpoint exposed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote
https://github.com/JunTakemura/exploit-CVE-2024-11972

This repository contains a functional Python exploit for CVE-2024-11972, targeting the Hunk Companion WordPress plugin. The exploit automates the installation and activation of arbitrary plugins via a vulnerable REST endpoint without authentication.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Hunk Companion WordPress plugin < 1.9.0
No auth needed
Prerequisites: Python 3 · requests library · target WordPress site with vulnerable plugin
devstral-2 · analyzed Feb 25, 2026 Full analysis →

Nuclei Templates (1)

Hunk Companion < 1.9.0 - Unauthenticated Plugin Installation
CRITICALby s4e-io
FOFA: body="/wp-content/plugins/hunk-companion/"

References (1)

Core 1
Core References
Exploit, Third Party Advisory exploit vdb-entry technical-description
https://wpscan.com/vulnerability/4963560b-e4ae-451d-8f94-482779c415e4/

Scores

CVSS v3 9.8
EPSS 0.5475
EPSS Percentile 98.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2024-12-10
Status published
Products (1)
themehunk/hunk_companion < 1.9.0
Published Dec 31, 2024
Tracked Since Feb 18, 2026