A widespread exploitation campaign is targeting WordPress websites with GutenKit and Hunk Companion plugins vulnerable to critical-severity, old security issues that can be used to achieve remote code execution (RCE).
WordPress security firm Wordfence says that it blocked 8.7 million attack attempts against its customers in just two days, October 8 and 9.
The campaign expoits three flaws, tracked as CVE-2024-9234, CVE-2024-9707, and CVE-2024-11972, all rated critical (CVSS 9.8).
CVE-2024-9234 is an unauthenticated REST-endpoint flaw in the GutenKit plugin with 40,000 installs that allows installing arbitrary plugins without authentication.
CVE-2024-9707 and CVE-2024-11972 are missing-authorization vulnerabilities in the themehunk-import REST endpoint of the Hunk Companion plugin (8,000 installs) which can also lead to installing arbitrary plugins.
An authenticated attacker can leverage the vulnerabilities to introduce another vulnerable plugin that allows remote code execution.
- CVE-2024-9234 affects GutenKit 2.1.0 and earlier
- CVE-2024-9707 impacts Hunk Companion 1.8.4 and older
- CVE-2024-11972 impacts Hunk Companion 1.8.5 and previous versions
Fixes for the three vulnerabilities became available in Gutenkit 2.1.1, released in October 2024, and Hunk Companion 1.9.0, released in December 2024. However, despite the vendor fixing them almost a year ago, many websites continue to use vulnerable versions.
Wordfence’s observations based on the attack data indicate that researchers say that threat actors are hosting on GitHub a malicious plugin in a .ZIP archive called ‘up’.
The archive contains obfuscated scripts that allow uploading, downloading, and deleting files, and changing permissions. One of the scripts that is protected with a password, disguised as a component of the All in One SEO plugin, is used to automatically log in the attacker as an administrator.
The attackers use these tools to maintain persistence, steal or drop files, execute commands, or sniff private data handled by the site.
When attackers cannot directly reach a full admin backdoor via the installed package, they often install the a vulnerable ‘wp-query-console’ plugin that can be leveraged for unauthenticated RCE.
Wordfence has listed several IP addresses that drive high volumes of these malicious requests, which can help create defenses against these attacks.
As an indicator of compromise, the researchers say that administrators should look for /wp-json/gutenkit/v1/install-active-plugin and /wp-json/hc/v1/themehunk-import requests in the site access logs.
They should also check the directories /up, /background-image-cropper, /ultra-seo-processor-wp, /oke, and /wp-query-console, for any rogue entries.
Administrator are recommended to keep all plugins on their websites updated to the latest version available from the vendor.
46% of environments had passwords cracked, nearly doubling from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.
