Mass Attacks Exploiting Outdated WordPress Plugins

A recent widespread exploitation campaign has been targeting WordPress websites that have vulnerable plugins such as GutenKit and Hunk Companion. These plugins have old security issues that can be exploited to achieve remote code execution (RCE).

According to WordPress security firm Wordfence, they blocked a staggering 8.7 million attack attempts against their customers in just two days, specifically on October 8 and 9.

The campaign exploits three critical-severity flaws known as CVE-2024-9234, CVE-2024-9707, and CVE-2024-11972, all of which have a CVSS rating of 9.8.

The CVE-2024-9234 flaw is found in the GutenKit plugin, affecting versions 2.1.0 and earlier. This unauthenticated REST-endpoint flaw allows the installation of arbitrary plugins without authentication and has impacted around 40,000 installations.

On the other hand, CVE-2024-9707 and CVE-2024-11972 are missing-authorization vulnerabilities in the themehunk-import REST endpoint of the Hunk Companion plugin, affecting versions 1.8.4 and earlier for the former, and version 1.8.5 and previous versions for the latter. These vulnerabilities can also lead to the installation of arbitrary plugins and have impacted around 8,000 installations.

Attackers can leverage these vulnerabilities to introduce another vulnerable plugin that allows remote code execution.

• CVE-2024-9234 affects GutenKit 2.1.0 and earlier
• CVE-2024-9707 impacts Hunk Companion 1.8.4 and older
• CVE-2024-11972 impacts Hunk Companion 1.8.5 and previous versions

Although fixes for these vulnerabilities have been available in Gutenkit 2.1.1 (released in October 2024) and Hunk Companion 1.9.0 (released in December 2024), many websites are still using vulnerable versions.

Wordfence’s analysis of the attack data reveals that threat actors are hosting a malicious plugin on GitHub in a .ZIP archive named ‘up’.

This archive contains obfuscated scripts that enable various malicious activities such as uploading, downloading, and deleting files, changing permissions, and even automatically logging in the attacker as an administrator using a password-protected script disguised as a component of the All in One SEO plugin.

Attackers use these tools to maintain persistence, steal or drop files, execute commands, or extract private data from the targeted site.

If attackers cannot access a full admin backdoor directly through the installed package, they often resort to installing a vulnerable ‘wp-query-console’ plugin that enables unauthenticated RCE.

Wordfence has identified several IP addresses responsible for high volumes of malicious requests, which can aid in developing defenses against these attacks.

Administrators are advised to look for specific requests such as /wp-json/gutenkit/v1/install-active-plugin and /wp-json/hc/v1/themehunk-import in the site access logs as indicators of compromise.

They should also inspect directories like /up, /background-image-cropper, /ultra-seo-processor-wp, /oke, and /wp-query-console for any suspicious entries.

It is highly recommended for administrators to keep all plugins on their websites updated to the latest versions provided by the vendors to ensure security.

46% of environments had passwords cracked, nearly doubling from 25% last year.

Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.

Get the Blue Report 2025