A large-scale exploitation campaign is actively targeting numerous WordPress websites that have failed to update the GutenKit and Hunk Companion plugins, leaving them exposed to critical security flaws. These vulnerabilities, which have been patched for almost a year, are being used by attackers to gain remote code execution (RCE). The severity of the campaign is underscored by security observations: in just two days, October 8 and 9, the firm Wordfence reported blocking over 8.7 million attack attempts against its customers. Despite the availability of fixes for these flaws, a significant number of websites continue to run vulnerable versions, making them easy targets for this widespread attack.
The attackers are leveraging three specific vulnerabilities, all rated with a critical CVSS score of 9.8: CVE-2024-9234 in the GutenKit plugin (affecting versions 2.1.0 and earlier), and CVE-2024-9707 and CVE-2024-11972 in the Hunk Companion plugin (affecting versions 1.8.4 and older, and 1.8.5 and previous, respectively). These flaws all stem from insufficient security checks, specifically an unauthenticated REST-endpoint flaw in GutenKit and missing authorization issues in Hunk Companion’s themehunk-import endpoint. Crucially, these shortcomings allow a threat actor to install arbitrary plugins without proper authentication. The necessary fixes were released in Gutenkit 2.1.1 and Hunk Companion 1.9.0, meaning administrators have had ample time to secure their sites.
Once an attacker can install an arbitrary plugin, they often follow a two-pronged approach to achieve full site compromise. Their primary method involves installing a malicious plugin hosted on GitHub in a ZIP file named ‘up’. This archive is packed with obfuscated scripts designed for stealth, allowing the attacker to perform file management tasks—uploading, downloading, and deleting files—and change system permissions. One script is even disguised as an All in One SEO component, protected by a password, which automatically logs the attacker in with administrator privileges to establish persistence and complete the site takeover.
Should the primary path to a full admin backdoor fail, the attackers resort to a secondary strategy: installing the known vulnerable ‘wp-query-console’ plugin. This specific plugin can be leveraged for unauthenticated RCE, providing another route for the threat actors to execute commands on the compromised server. These tools allow the attackers to maintain long-term access, steal sensitive data, drop additional malware, or execute arbitrary commands, posing a major risk to the site’s integrity and user data privacy. Wordfence has shared a list of IP addresses driving high volumes of these malicious requests, which can be used to bolster network-level defenses.
To detect and mitigate these ongoing attacks, website administrators must take immediate action. The most critical step is to ensure that both GutenKit and Hunk Companion are updated to the latest available versions. For existing compromises, administrators should inspect their site access logs for suspicious requests to the specific endpoints /wp-json/gutenkit/v1/install-active-plugin and /wp-json/hc/v1/themehunk-import. Additionally, they must check the site’s directories for rogue entries in paths like /up, /background-image-cropper, /ultra-seo-processor-wp, /oke, and /wp-query-console. The general recommendation remains paramount: keep all website plugins updated to the newest versions to prevent exploitation of old, well-known flaws.
Reference:
