A large-scale hacking campaign is targeting WordPress websites that are still using outdated versions of the GutenKit and Hunk Companion plugins.
These plugins have serious security flaws that can allow hackers to take full control of a website.
Security company Wordfence reported that it blocked more than 8.7 million attack attempts within just two days, on October 8 and 9. The attacks take advantage of three dangerous bugs, known as CVE-2024-9234, CVE-2024-9707, and CVE-2024-11972. All of these have the highest possible severity rating, meaning they can cause serious harm if not fixed.
Three Critical Vulnerabilities Exploited
The campaign exploits three high-severity security issues, tracked as CVE-2024-9234, CVE-2024-9707, and CVE-2024-11972, all rated critical with a CVSS score of 9.8.
- CVE-2024-9234 – An unauthenticated REST endpoint flaw in GutenKit (40,000 installs) that allows attackers to install arbitrary plugins without authentication.
- CVE-2024-9707 and CVE-2024-11972 – Missing-authorization vulnerabilities in the themehunk-import REST endpoint of the Hunk Companion plugin (8,000 installs) that also permit arbitrary plugin installation.
Attackers can exploit these flaws to upload a secondary malicious plugin that enables remote code execution, giving them full control of the affected website.
Fixes
The developers of these plugins fixed the vulnerabilities a while ago. The problem in GutenKit was patched in version 2.1.1, released in October 2024, and Hunk Companion was fixed in version 1.9.0, released in December 2024. Unfortunately, many websites still haven’t been updated, leaving them open to attack.
According to Wordfence researchers, hackers are using a fake plugin named “up.zip,” which they host on GitHub. Inside the file are hidden scripts that can upload or delete files, change permissions, and even log in to the website as an administrator. The malicious plugin pretends to be part of the popular All in One SEO tool, making it easy to trick site owners. In some cases, attackers also install another vulnerable plugin called “wp-query-console” to gain access without needing a password.
Indicators of Compromise
Administrators should check access logs for the following suspicious requests:
/wp-json/gutenkit/v1/install-active-plugin/wp-json/hc/v1/themehunk-import
They should also inspect these directories for rogue files:
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
/up/background-image-cropper/ultra-seo-processor-wp/oke/wp-query-console
Experts strongly recommend updating all plugins to their latest versions as soon as possible. This simple step can prevent hackers from taking over websites. Wordfence has also shared a list of IP addresses used in these attacks, which can help administrators block the malicious traffic and keep their sites safe.
