CVE-2024-9707

The repository contains functional exploit code for CVE-2024-9707, demonstrating a command execution vulnerability in OpenCode. The script includes a multi-threaded scanner that checks for the vulnerability by creating a session and executing a command (e.g., 'id') to verify RCE.

This PoC demonstrates an unauthenticated arbitrary plugin installation/activation vulnerability in Hunk Companion <= 1.8.4 via a missing capability check on the /wp-json/hc/v1/themehunk-import REST API endpoint. The provided HTTP request can be used to install and activate arbitrary plugins, potentially leading to remote code execution if a vulnerable plugin is installed.

The repository contains functional exploit code for CVE-2024-9707, targeting a WordPress plugin (3DPrint Lite 1.9.1.4) with an arbitrary file upload vulnerability. The Python script demonstrates the ability to upload a malicious file to a vulnerable target.

This PoC exploits CVE-2024-9707, a missing authorization vulnerability in the WordPress Hunk Companion plugin (<= 1.8.4), allowing unauthenticated arbitrary plugin installation/activation via the REST API endpoint /wp-json/hc/v1/themehunk-import.