Redazione RHC : 29 October 2025 07:24
Wordfence is raising the alarm about a large-scale malware campaign in which attackers are exploiting critical vulnerabilities in the popular WordPress plugins GutenKit and Hunk Companion . The company blocked 8.7 million such attack attempts against its customers in just two days.
Hackers are exploiting three critical vulnerabilities (9.8 on the CVS19 security scale): CVE-2024-9234, CVE-2024-9707, and CVE-2024-11972.
All of these vulnerabilities allow remote code execution on vulnerable websites.
CVE-2024-9234 affects the GutenKit plugin, which has 40,000 active installations . The vulnerability is related to an unauthenticated REST endpoint and allows the installation of arbitrary plugins without authentication. The issue affects GutenKit versions 2.1.0 and earlier.
The vulnerabilities CVE-2024-9707 and CVE-2024-11972 are related to a permission leak in the themehunk-import REST endpoint of the Hunk Companion plugin, which has been installed approximately 8,000 times.
These vulnerabilities also open the way for the installation of arbitrary plugins. The first vulnerability affects versions 1.8.4 and earlier of the plugin, while the second affects 1.8.5 and all earlier releases.
Attackers are reportedly exploiting these vulnerabilities to inject another vulnerable plugin into websites, which would allow them to remotely execute code.
Patches for all three issues have been available for almost a year: GutenKit 2.1.1 was released in October 2024, and Hunk Companion was updated to version 1.9.0 in December of that year. However, many websites still use vulnerable versions of the plugins, making them easy targets.
According to Wordfence, the attackers are hosting a malicious plugin on GitHub in a ZIP archive named “up.” The archive contains obfuscated scripts for uploading, downloading, and deleting files , as well as changing access permissions. One of the scripts, password-protected and disguised as a component of the All in One SEO plugin, automatically logs the attacker in as an administrator.
These tools give attackers complete control: they can maintain a presence on the server, steal or download files, execute commands, and intercept private data.
If the direct route via an installed plugin doesn’t work, attackers often inject websites with another vulnerable plugin, wp-query-console , which allows code execution without authentication.
Wordfence included a list of IP addresses generating large volumes of malicious requests in its report . Additionally, we recommend checking your logs for suspicious requests to /wp-json/gutenkit/v1/install-active-plugin /wp-json/hc/v1/themehunk-import.
It’s also worth checking the /up, /background-image-cropper, /ultra-seo-processor-wpe directories for suspicious files. /oke. /wp-query-console
Redazione