Hunk Companion's REST API had a missing-authorization flaw (CVE-2024-9707, later CVE-2024-11972) that let unauthenticated attackers install plugins from the WordPress.org repository. Attackers used it to install WP Query Console — a long-abandoned debug plugin whose unauthenticated RCE was never patched (CVE-2024-50498). Two plugins, one chain, full RCE.

Why was this dangerous?

Hunk Companion shipped with the Hunk theme family on tens of thousands of installs. The chain required no credentials and used a public-repo plugin as the second stage, which meant any site running Hunk Companion in the disclosure window was reachable by any attacker who'd read the writeup.

How do I know if I was hit?

Check whether WP Query Console (slug 'wp-query-console') ever appeared in your active or inactive plugin list, even briefly. Check wp-content/plugins/wp-query-console/ for its files. Check wp_options for entries containing that plugin's name.

Is Hunk Companion still needed for my theme?

If you run a Hunk-family theme, often yes. The plugin has been patched. I do a forensic look first, then update to the patched version as part of cleanup.

CVE-2024-9707 · CVE-2024-11972 · PLUGIN INSTALL → RCE

Hunk Companion exploit cleanup.

A Hunk Companion authorization flaw let unauthenticated attackers install plugins from the WordPress.org repo. Combined with the unpatched WP Query Console plugin, that's full RCE. Heavy exploitation late 2024. Flat $279 to clean it. I identify persistence, remove the second-stage plugin, and harden.

Start a cleanup About the chain

WHAT THE CHAIN WAS

One bug to install a plugin. Another bug in the installed plugin.

Stage 1. Hunk Companion exposed a REST route that installed plugins without checking authorization. Affected versions prior to 1.9.0; same issue rediscovered in 1.8.5–1.8.6 range, leading to two CVE IDs (CVE-2024-9707 and CVE-2024-11972).

Stage 2. Attackers used Stage 1 to install WP Query Console, a long-abandoned plugin with an unauthenticated RCE (CVE-2024-50498) that was never going to be patched because the plugin had no maintainer. With WP Query Console installed, full remote code execution followed.

INDICATORS

What I look at.

PLUGIN PRESENCE
wp-content/plugins/wp-query-console/ — even an empty folder is a hit indicator. Check whether it was active in wp_options.active_plugins.
ACCESS LOG
POSTs to /wp-json/hc/v1/themehunk-import (Hunk Companion install endpoint) from external IPs, in October–December 2024.
ADMIN USERS
Administrators created after Stage 2 RCE — frequently with generic names, sometimes already with a 2FA secret to lock the legitimate owner out.
FILES
Fresh PHP across uploads, modified core or theme PHP, new mu-plugins.

Pricing

Cleanup

$279

flat, one-time, per site

Manual cleanup, entry-vector identification, written forensic report.

Start a cleanup

Monitoring

$29 / mo

per site, cancel any time

Continuous monitoring, hardening, one cleanup per year included.

Get protected

Part of threatover's broader security practice. Penetration testing, bug bounty consulting, triage, and security advisory.

See all services →

Email [email protected] or use the contact form.