CVE-2024-9707: CWE-862 Missing Authorization in themehunk Hunk Companion
The Hunk Companion plugin for WordPress is vulnerable to unauthorized plugin installation/activation due to a missing capability check on the /wp-json/hc/v1/themehunk-import REST API endpoint in all versions up to, and including, 1.8.4. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated.
AI Analysis
Technical Summary
CVE-2024-9707 is a critical missing authorization vulnerability (CWE-862) in the Hunk Companion plugin for WordPress. The vulnerability exists on the /wp-json/hc/v1/themehunk-import REST API endpoint, which lacks proper capability checks. This allows unauthenticated attackers to install and activate arbitrary plugins, potentially leading to remote code execution when combined with other vulnerable plugins. The issue affects all versions up to and including 1.8.4. The CVSS v3.1 base score is 9.8, reflecting network attack vector, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. There is no vendor advisory or patch information available at this time.
Potential Impact
An unauthenticated attacker can exploit this vulnerability to install and activate arbitrary WordPress plugins on affected sites. This can lead to remote code execution if another vulnerable plugin is present and activated, severely compromising the affected system's confidentiality, integrity, and availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict access to the REST API endpoint if possible and monitor for suspicious plugin installations. Avoid installing or activating untrusted plugins and consider disabling the Hunk Companion plugin if feasible.
CVE-2024-9707: CWE-862 Missing Authorization in themehunk Hunk Companion
Description
The Hunk Companion plugin for WordPress is vulnerable to unauthorized plugin installation/activation due to a missing capability check on the /wp-json/hc/v1/themehunk-import REST API endpoint in all versions up to, and including, 1.8.4. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2024-9707 is a critical missing authorization vulnerability (CWE-862) in the Hunk Companion plugin for WordPress. The vulnerability exists on the /wp-json/hc/v1/themehunk-import REST API endpoint, which lacks proper capability checks. This allows unauthenticated attackers to install and activate arbitrary plugins, potentially leading to remote code execution when combined with other vulnerable plugins. The issue affects all versions up to and including 1.8.4. The CVSS v3.1 base score is 9.8, reflecting network attack vector, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. There is no vendor advisory or patch information available at this time.
Potential Impact
An unauthenticated attacker can exploit this vulnerability to install and activate arbitrary WordPress plugins on affected sites. This can lead to remote code execution if another vulnerable plugin is present and activated, severely compromising the affected system's confidentiality, integrity, and availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict access to the REST API endpoint if possible and monitor for suspicious plugin installations. Avoid installing or activating untrusted plugins and consider disabling the Hunk Companion plugin if feasible.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-10-09T19:08:46.516Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6b59b7ef31ef0b5548cb
Added to database: 2/25/2026, 9:36:25 PM
Last enriched: 4/9/2026, 3:36:28 PM
Last updated: 4/12/2026, 5:12:45 PM
Views: 15
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.