Wordfence warns about a large-scale malicious campaign in which attackers are exploiting critical vulnerabilities in the popular WordPress plugins GutenKit and Hunk Companion. The company has blocked 8.7 million attempts of such attacks against its customers in just two days.
Hackers are exploiting three critical bugs (rated 9.8 on the CVSS scale): CVE-2024-9234, CVE-2024-9707, and CVE-2024-11972. All of them enable remote code execution on vulnerable sites.
CVE-2024-9234 affects the GutenKit plugin, which has 40,000 active installations. The vulnerability is related to an unauthenticated REST endpoint and allows installing arbitrary plugins without any authentication. The issue affects GutenKit version 2.1.0 and earlier.
In turn, CVE-2024-9707 and CVE-2024-11972 are related to missing authorization in the themehunk-import REST endpoint of the Hunk Companion plugin, which is installed around 8,000 times. These issues also open the door to installing arbitrary plugins. The first vulnerability affects plugin version 1.8.4 and earlier, and the second — 1.8.5 and all previous releases.
It is reported that attackers are using these vulnerabilities to deploy another vulnerable plugin on sites, which then gives them the ability to execute code remotely.
Patches for all three issues have been available for almost a year: GutenKit 2.1.1 was released in October 2024, and Hunk Companion was updated to version 1.9.0 in December of the same year. However, many sites are still running vulnerable versions of the plugins, which makes them easy targets.
According to Wordfence, attackers are hosting a malicious plugin on GitHub in a ZIP archive named “up.” The archive contains obfuscated scripts for uploading, downloading, and deleting files, as well as changing permissions. One of the scripts, password-protected and disguised as a component of the All in One SEO plugin, automatically logs the attacker in as an administrator.
These tools give attackers full control: they can maintain persistence on the server, steal or upload files, execute commands, and intercept sensitive data.
If the direct path through the installed plugin doesn’t work, attackers often install another vulnerable plugin onto sites — wp-query-console — which allows code execution without authentication.
Wordfence included in its report a list of IP addresses generating large volumes of malicious requests. In addition, it is recommended to look for suspicious requests in the logs to /wp-json/gutenkit/v1/install-active-plugin and /wp-json/hc/v1/themehunk-import. It’s also worth checking the directories /up, /background-image-cropper, /ultra-seo-processor-wp, /oke and /wp-query-console for suspicious files.