Hunk Companion chain hit your site?
We clean it.

§ 01 — WHAT THE CHAIN WAS

One bug to install a plugin. Another bug in the installed plugin.

Stage 1. Hunk Companion exposed a REST route that installed plugins without checking authorization. Affected versions prior to 1.9.0; same issue rediscovered in 1.8.5–1.8.6 range, leading to two CVE IDs (CVE-2024-9707 and CVE-2024-11972).

Stage 2. Attackers used Stage 1 to install WP Query Console, a long-abandoned plugin with an unauthenticated RCE (CVE-2024-50498) that was never going to be patched because the plugin had no maintainer. With WP Query Console installed, full remote code execution followed.

§ 02 — INDICATORS

What we look at.

• [ PLUGIN PRESENCE ]

  wp-content/plugins/wp-query-console/ — even an empty folder is a hit indicator. Check whether it was active in wp_options.active_plugins.

• [ ACCESS LOG ]

  POSTs to /wp-json/hc/v1/themehunk-import (Hunk Companion install endpoint) from external IPs, in October–December 2024.

• [ ADMIN USERS ]

  Administrators created after Stage 2 RCE — frequently with generic names, sometimes already with a 2FA secret to lock the legitimate owner out.

• [ FILES ]

  Fresh PHP across uploads, modified core or theme PHP, new mu-plugins.

§ PRICE

Flat $279. One-time. Per site.