CVE-2024-11972: 
WordPress vulnerability analysis and mitigation

The Hunk Companion WordPress plugin before version 1.9.0 contains a critical vulnerability (CVE-2024-11972) with a CVSS score of 9.8. The vulnerability allows unauthenticated requests to install and activate arbitrary plugins from the WordPress.org repository, including vulnerable plugins that have been closed. This flaw affects over 10,000 active installations and is a patch bypass for a previously reported vulnerability (CVE-2024-9707) that was supposedly fixed in version 1.8.5 (WPScan Blog, Hacker News).

The vulnerability stems from a flaw in the permissioncallback function within the file 'hunk-companion/import/app/app.php'. The function fails to return a proper boolean value for failed conditions, instead returning WPRESTResponse, which causes the permissioncallback to always evaluate to true. This allows unauthorized requests to bypass security checks and execute the tpinstall function, which invokes the HUNKCOMPANIONSITESBUILDER_SETUP class. The plugin also contains hardcoded WordPress.org URLs in 'hunk-companion/import/core/class-installation.php', allowing downloads of plugins even if they have been closed or removed from the repository (WPScan Blog).

The vulnerability enables attackers to install vulnerable or outdated plugins, which can be leveraged for various attacks including Remote Code Execution (RCE), SQL Injection, Cross-Site Scripting (XSS), and the creation of administrative backdoors. Attackers can bypass security measures, manipulate database records, execute malicious scripts, and gain unauthorized administrative access to affected sites (WPScan Blog, Security Online).

The vulnerability has been patched in Hunk Companion version 1.9.0. The fix involves modifying the permissioncallback to correctly return WPError for failed conditions instead of WPRESTResponse. Site administrators are strongly advised to update to version 1.9.0 or later immediately (WPScan Blog).

The security community has expressed significant concern about this vulnerability due to its high severity score and active exploitation in the wild. WPScan's research team emphasized the particular danger of this attack vector, noting its combination of factors - leveraging a previously patched vulnerability to install removed plugins with known security flaws (Hacker News).