A widespread exploitation campaign is targeting WordPress sites running outdated GutenKit and Hunk Companion plugins, using critical vulnerabilities that can lead to remote code execution, security firm Wordfence said. Wordfence reported it blocked 8.7 million attack attempts against its customers on October 8 and 9.
The campaign exploits three critical flaws – CVE-2024-9234, CVE-2024-9707 and CVE-2024-11972 – all rated critical (CVSS 9.8). CVE-2024-9234 is an unauthenticated REST-endpoint flaw in GutenKit, which has about 40,000 installs, that permits installing arbitrary plugins without authentication. CVE-2024-9707 and CVE-2024-11972 are missing-authorization vulnerabilities in the themehunk-import REST endpoint of Hunk Companion, which has about 8,000 installs, and they can likewise enable arbitrary plugin installation.
Affected releases include GutenKit 2.1.0 and earlier, Hunk Companion 1.8.4 and older for CVE-2024-9707, and Hunk Companion 1.8.5 and previous versions for CVE-2024-11972. Fixes were published in GutenKit 2.1.1 in October 2024 and Hunk Companion 1.9.0 in December 2024, but many sites continue to run vulnerable versions.
Wordfence observed attackers hosting a malicious plugin archive named ‘up’ on GitHub that contains obfuscated scripts able to upload, download and delete files, change permissions and provide a backdoor disguised as an All in One SEO component to automatically log the attacker in as an administrator. The tools are used to maintain persistence, steal or drop files, execute commands and intercept site data, and when direct admin access is not available attackers have installed a vulnerable ‘wp-query-console’ plugin to achieve unauthenticated remote code execution.
Administrators are advised to check access logs for requests to /wp-json/gutenkit/v1/install-active-plugin and /wp-json/hc/v1/themehunk-import, inspect directories such as /up, /background-image-cropper, /ultra-seo-processor-wp, /oke and /wp-query-console for rogue files, and keep plugins updated to vendor releases.