{"uuid": "5e1cc667-8f06-4cde-b167-203c95a1038c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "title": "Unauthorized Plugin Installation/Activation\u00a0in Hunk Companion | WPScan", "description": "# Unauthorized Plugin Installation/Activation\u00a0in Hunk Companion | WPScan\n\nRef: https://wpscan.com/blog/unauthorized-plugin-installation-activation-in-hunk-companion/\n\nThis report highlights a vulnerability in the [Hunk Companion plugin](https://wordpress.org/plugins/hunk-companion/) < 1.9.0 that allows unauthenticated POST requests to install and activate plugins directly from the WordPress.org\u00a0repository.\n\nThis flaw poses a significant security risk, as it enables attackers to install vulnerable or closed plugins, which can then be exploited for attacks such as Remote Code Execution (RCE), SQL Injection, Cross\u2011Site Scripting (XSS), or even the creation of administrative backdoors. By leveraging these outdated or unmaintained plugins, attackers can bypass security measures, manipulate database records, execute malicious scripts, and gain unauthorized administrative access to the\u00a0site.\n\nMethod of\u00a0Exploitation\n----------------------\n\nWhile tracing an infection on a WordPress site, we uncovered a live vulnerability currently being exploited in a two\u2011step\u00a0process:\n\n1. **Unauthenticated Installation/Activation**: Attackers exploit a flaw to install and activate the now\u2011closed and vulnerable plugin, [WP Query\u00a0Console](https://wordpress.org/plugins/wp-query-console/)\n2. **Remote Code Execution (RCE)**: The vulnerability in WP Query Console is then exploited to evaluate arbitrary and malicious PHP\u00a0code.\n\nIn the infections we\u2019ve analyzed, attackers use the RCE to write a PHP dropper to the site\u2019s root directory. This dropper allows continued unauthenticated uploads via GET requests, enabling persistent backdoor access to the\u00a0site.\n\nInvestigation\n-------------\n\nThe vulnerability was uncovered during an investigation into the entry point for an infection caused by its exploitation. Access logs revealed that the `change timestamp` of a randomly named PHP file located in the root of the WordPress installation (`/htdocs/aea74fff3c02.php`) was preceded by requests to the following\u00a0endpoints:\n\n\n\n* Time: Nov 27, 2024 @ 08:21:41.812\n * request_url: /aea74fff3c02.php\n * http_user_agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2735.76 Safari/537.36\n * request_type: GET\n* Time: Nov 27, 2024 @ 08:21:41.561\n * request_url: /?rest_route=/wqc/v1/query\n * http_user_agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2735.76 Safari/537.36\n * request_type: POST\n* Time: Nov 27, 2024 @ 08:21:40.354\n * request_url: /wp-json/hc/v1/themehunk-import\n * http_user_agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2735.76 Safari/537.36\n * request_type: POST\n* Time: Nov 27, 2024 @ 08:21:08.151\n * request_url: /wp-json/hc/v1/themehunk-import\n * http_user_agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2735.76 Safari/537.36\n * request_type: POST\n\n\nFurther investigation revealed that the plugins responsible for these endpoints are **Hunk Companion** and **WP Query Console**, respectively. Each observed infection\u2019s modification times aligned with POST requests to these same\u00a0endpoints.\n\nThe Remote Code Execution (RCE) vulnerability in WP Query Console, reported under [CVE\u20112024\u201150498](https://www.cve.org/CVERecord?id=CVE-2024-50498), remains unpatched. Meanwhile, the unauthenticated plugin installation/activation vulnerability in Hunk Companion was reportedly fixed in version 1.8.5 and greater, as documented in\u00a0[CVE\u20112024\u20119707](https://www.cve.org/CVERecord?id=CVE-2024-9707).\n\nUpon further review, we confirmed that this infection did, in fact, occur with the latest version of Hunk Companion at that time, 1.8.7, indicating that the vulnerability had persisted in the current\u00a0version.\n\nCode Analysis\n-------------\n\nAn analysis of the code responsible for the `themehunk\u2011import` endpoint revealed the vulnerability being\u00a0exploited.\n\nWithin the file `hunk\u2011companion/import/core/class\u2011installation.php`, the class `HUNK_COMPANION_SITES_BUILDER_SETUP` is executed by the endpoint and handles plugin installation and\u00a0activation.\n\nOn line 204, the following code demonstrates that the WordPress.org URL is hardcoded, restricting installations to plugins hosted on the WordPress.org\u00a0repository:\n\n```\n$temp_file = download_url('https://downloads.wordpress.org/plugin/'.$slug.'.zip');\n\n```\n\n\nHowever, this URL allows the download of plugins, even if they have been closed or removed from the repository. This behavior introduces a significant vector for exploitation, enabling attackers to install vulnerable\u00a0plugins.\n\nThe vulnerability stems from the weakness found in\u00a0`hunk\u2011companion/import/app/app.php`:\n\n```\n register_rest_route( 'hc/v1', 'themehunk-import', array(\n 'methods' => 'POST',\n 'callback' => array( $this, 'tp_install' ),\n 'permission_callback' => function () {\n // Check if the user is logged in\n if ( ! is_user_logged_in() ) {\n //return new WP_REST_Response( 'Unauthorized: User not logged in', 401 );\n }\n\n // Debug: Log the user role and capabilities to see what they have\n $current_user = wp_get_current_user();\n // error_log( 'Current user: ' . $current_user->user_login );\n // error_log( 'User roles: ' . implode( ', ', $current_user->roles ) );\n // error_log( 'User capabilities: ' . print_r( $current_user->allcaps, true ) );\n\n // Ensure the user has the 'install_plugins' capability\n if ( ! current_user_can( 'install_plugins' ) ) {\n return new WP_REST_Response( 'Unauthorized: Insufficient capabilities', 401 );\n }\n\n // Get the nonce from the request header\n $nonce = $request->get_header('X-WP-Nonce');\n\n // Verify the nonce\n if ( ! wp_verify_nonce( $nonce, 'hc_import_nonce' ) ) {\n return new WP_REST_Response( 'Unauthorized: Invalid nonce', 401 );\n }\n\n return true; // Permission granted\n},\n\n ) );\n\n```\n\n\nLines 28\u201159 register the REST API route for `themehunk\u2011import`. In version 1.8.5, the plugin author introduced a `permission_callback` to restrict access. However, for [`permission_callback`](https://developer.wordpress.org/rest-api/extending-the-rest-api/adding-custom-endpoints/#permissions-callback) to work correctly, it must return a boolean (`false` to reject requests, `true` to accept) or a `WP_Error`\u00a0object.\n\nIn this case, failed conditions return `new WP_REST_Response`, which is not a boolean or `WP_Error`. As a result, the `permission_callback` always evaluates to `true`, allowing unauthenticated requests to bypass the intended checks. This flaw enables the execution of the `tp_install` function, which invokes the `HUNK_COMPANION_SITES_BUILDER_SETUP` class, leading to the installation and activation of arbitrary\u00a0plugins.\n\n### Recommended Fix\n\nTo address this issue, the `themehunk\u2011import` and `ai\u2011site\u2011import` endpoints needed to be patched. Specifically, the return statements for failed conditions needed to be changed. For example,\u00a0replace:\n\n```\nreturn new WP_REST_Response( 'Unauthorized: User not logged in', 401 );\n\n```\n\n\nWith:\n\n```\nreturn new WP_Error( 'unauthorized', __( 'You must be logged in.' ), array( 'status' => 401 ) );\n\n```\n\n\nThis change ensures the `permission_callback` correctly denies unauthorized requests, mitigating the\u00a0vulnerability.\n\nAs of 1.9.0, the author implemented the necessary patch, and we have confirmed that the exploit is no longer\u00a0present.\n\nConclusion\n----------\n\nThis vulnerability represents a significant and multifaceted threat, targeting sites that use both a [ThemeHunk theme](https://profiles.wordpress.org/themehunk/#content-themes) and the Hunk Companion plugin. With over 10,000 active installations, this exposed thousands of websites to anonymous, unauthenticated attacks capable of severely compromising their\u00a0integrity.\n\nWhat makes this attack particularly dangerous is its combination of factors\u2014leveraging a previously patched vulnerability in Hunk Companion to install a now\u2011removed plugin with a known Remote Code Execution flaw. The chain of exploitation underscores the importance of securing every component of a WordPress site, especially third\u2011party themes and plugins, which can become critical points of entry for\u00a0attackers.\n\nAs WordPress remains the most popular content management system in the world, such vulnerabilities serve as a stark reminder of the ongoing challenges in maintaining site security. It\u2019s imperative for developers, site owners, and plugin authors alike to adopt proactive measures, such as regularly updating plugins and themes, auditing for known vulnerabilities, and disabling unused or unnecessary\u00a0extensions.\n\nTimeline\n--------\n\n**Nov 27th, 2024**\u00a0\u2013 Internal discovery of this\u00a0vulnerability. We reported issue to Hunk Companion\n\n**Dec 10th, 2024**\u00a0\u2013 Hunk Companion confirms acknowledges issue and releases a patch.\n\n**Dec 10th, 2024**\u00a0\u2013 We published this advisory.\n\n_The PoC will be displayed on January 14, 2025, to give users the time to\u00a0update._\n\nCredits\n-------\n\nOriginal research: Daniel\u00a0Rodriguez\n\n**Acknowledgments**: Special thanks to the WPScan team and Ashley Robicheau for feedback, help, and\u00a0corrections.", "description_format": "markdown", "vulnerability": "CVE-2024-11972", "creation_timestamp": "2024-12-15T06:47:50.105587+00:00", "timestamp": "2024-12-15T06:47:50.105587+00:00", "related_vulnerabilities": ["CVE-2024-9707", "CVE-2024-50498"], "meta": [{"tags": ["vulnerability:exploitability=documented"]}], "author": {"login": "adulau", "name": "Alexandre Dulaunoy", "uuid": "c933734a-9be8-4142-889e-26e95c752803"}}