A widespread exploitation marketing campaign is focusing on WordPress web sites with GutenKit and Hunk Companion plugins weak to critical-severity, previous safety points that can be utilized to attain distant code execution (RCE).
WordPress safety agency Wordfence says that it blocked 8.7 million assault makes an attempt in opposition to its clients in simply two days, October 8 and 9.
The marketing campaign expoits three flaws, tracked as CVE-2024-9234, CVE-2024-9707, and CVE-2024-11972, all rated essential (CVSS 9.8).
CVE-2024-9234 is an unauthenticated REST-endpoint flaw within the GutenKit plugin with 40,000 installs that permits putting in arbitrary plugins with out authentication.
CVE-2024-9707 and CVE-2024-11972 are missing-authorization vulnerabilities within the themehunk-import REST endpoint of the Hunk Companion plugin (8,000 installs) which may additionally result in putting in arbitrary plugins.
An authenticated attacker can leverage the vulnerabilities to introduce one other weak plugin that permits distant code execution.
- CVE-2024-9234 impacts GutenKit 2.1.0 and earlier
- CVE-2024-9707 impacts Hunk Companion 1.8.4 and older
- CVE-2024-11972 impacts Hunk Companion 1.8.5 and former variations
Fixes for the three vulnerabilities turned accessible in Gutenkit 2.1.1, launched in October 2024, and Hunk Companion 1.9.0, launched in December 2024. Nevertheless, regardless of the seller fixing them virtually a 12 months in the past, many web sites proceed to make use of weak variations.
Supply: Wordfence
Wordfence’s observations based mostly on the assault information point out that researchers say that risk actors are internet hosting on GitHub a malicious plugin in a .ZIP archive referred to as ‘up’.
The archive incorporates obfuscated scripts that permit importing, downloading, and deleting recordsdata, and altering permissions. One of many scripts that’s protected with a password, disguised as a part of the All in One search engine optimization plugin, is used to mechanically log within the attacker as an administrator.
The attackers use these instruments to keep up persistence, steal or drop recordsdata, execute instructions, or sniff non-public information dealt with by the location.
When attackers can not immediately attain a full admin backdoor through the put in package deal, they usually set up the a weak ‘wp-query-console’ plugin that may be leveraged for unauthenticated RCE.
Wordfence has listed a number of IP addresses that drive excessive volumes of those malicious requests, which may also help create defenses in opposition to these assaults.
As an indicator of compromise, the researchers say that directors ought to search for /wp-json/gutenkit/v1/install-active-plugin and /wp-json/hc/v1/themehunk-import requests within the web site entry logs.
They need to additionally examine the directories /up, /background-image-cropper, /ultra-seo-processor-wp, /oke, and /wp-query-console, for any rogue entries.
Administrator are beneficial to maintain all plugins on their web sites up to date to the newest model accessible from the seller.
46% of environments had passwords cracked, almost doubling from 25% final 12 months.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and information exfiltration tendencies.
