A widespread exploitation marketing campaign is focusing on WordPress web sites with GutenKit and Hunk Companion plugins weak to critical-severity, previous safety points that can be utilized to attain distant code execution (RCE).
WordPress safety agency Wordfence says that it blocked 8.7 million assault makes an attempt in opposition to its prospects in simply two days, October 8 and 9.
The marketing campaign expoits three flaws, tracked as CVE-2024-9234, CVE-2024-9707, and CVE-2024-11972, all rated vital (CVSS 9.8).
CVE-2024-9234 is an unauthenticated REST-endpoint flaw within the GutenKit plugin with 40,000 installs that permits putting in arbitrary plugins with out authentication.
CVE-2024-9707 and CVE-2024-11972 are missing-authorization vulnerabilities within the themehunk-import REST endpoint of the Hunk Companion plugin (8,000 installs) which may additionally result in putting in arbitrary plugins.
An authenticated attacker can leverage the vulnerabilities to introduce one other weak plugin that permits distant code execution.
- CVE-2024-9234 impacts GutenKit 2.1.0 and earlier
- CVE-2024-9707 impacts Hunk Companion 1.8.4 and older
- CVE-2024-11972 impacts Hunk Companion 1.8.5 and former variations
Fixes for the three vulnerabilities turned out there in Gutenkit 2.1.1, launched in October 2024, and Hunk Companion 1.9.0, launched in December 2024. Nevertheless, regardless of the seller fixing them nearly a yr in the past, many web sites proceed to make use of weak variations.
Supply: Wordfence
Wordfence’s observations based mostly on the assault knowledge point out that researchers say that risk actors are internet hosting on GitHub a malicious plugin in a .ZIP archive referred to as ‘up’.
The archive accommodates obfuscated scripts that permit importing, downloading, and deleting information, and altering permissions. One of many scripts that’s protected with a password, disguised as a part of the All in One web optimization plugin, is used to robotically log within the attacker as an administrator.
The attackers use these instruments to keep up persistence, steal or drop information, execute instructions, or sniff non-public knowledge dealt with by the positioning.
When attackers can’t instantly attain a full admin backdoor through the put in bundle, they typically set up the a weak ‘wp-query-console’ plugin that may be leveraged for unauthenticated RCE.
Wordfence has listed a number of IP addresses that drive excessive volumes of those malicious requests, which may help create defenses in opposition to these assaults.
As an indicator of compromise, the researchers say that directors ought to search for /wp-json/gutenkit/v1/install-active-plugin and /wp-json/hc/v1/themehunk-import requests within the website entry logs.
They need to additionally examine the directories /up, /background-image-cropper, /ultra-seo-processor-wp, /oke, and /wp-query-console, for any rogue entries.
Administrator are really useful to maintain all plugins on their web sites up to date to the newest model out there from the seller.
46% of environments had passwords cracked, practically doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and knowledge exfiltration traits.
