9.8
CVE-2024-9707
- EPSS 90.28%
- Veröffentlicht 11.10.2024 13:15:21
- Zuletzt bearbeitet 25.11.2024 18:50:39
- Quelle security@wordfence.com
- CVE-Watchlists
- Unerledigt
LoginHunk Companion <= 1.8.4 - Missing Authorization to Unauthenticated Arbitrary Plugin Installation/Activation
The Hunk Companion plugin for WordPress is vulnerable to unauthorized plugin installation/activation due to a missing capability check on the /wp-json/hc/v1/themehunk-import REST API endpoint in all versions up to, and including, 1.8.4. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated.
Mögliche Gegenmaßnahme
Hunk Companion: Update to version 1.8.5, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Hunk Companion
Version
*-1.8.4
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Themehunk ≫ Hunk Companion SwPlatformwordpress Version < 1.8.5
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 90.28% | 0.996 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security@wordfence.com | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-862 Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.