A widespread exploitation marketing campaign is focusing on WordPress web sites with GutenKit and Hunk Companion plugins weak to critical-severity, previous security points that can be utilized to realize distant code execution (RCE).
WordPress security agency Wordfence says that it blocked 8.7 million assault makes an attempt in opposition to its clients in simply two days, October 8 and 9.
The marketing campaign expoits three flaws, tracked as CVE-2024-9234, CVE-2024-9707, and CVE-2024-11972, all rated vital (CVSS 9.8).
CVE-2024-9234 is an unauthenticated REST-endpoint flaw within the GutenKit plugin with 40,000 installs that enables putting in arbitrary plugins with out authentication.
CVE-2024-9707 and CVE-2024-11972 are missing-authorization vulnerabilities within the themehunk-import REST endpoint of the Hunk Companion plugin (8,000 installs) which might additionally result in putting in arbitrary plugins.
An authenticated attacker can leverage the vulnerabilities to introduce one other weak plugin that enables distant code execution.
- CVE-2024-9234 impacts GutenKit 2.1.0 and earlier
- CVE-2024-9707 impacts Hunk Companion 1.8.4 and older
- CVE-2024-11972 impacts Hunk Companion 1.8.5 and former variations
Fixes for the three vulnerabilities grew to become obtainable in Gutenkit 2.1.1, launched in October 2024, and Hunk Companion 1.9.0, launched in December 2024. Nevertheless, regardless of the seller fixing them nearly a yr in the past, many web sites proceed to make use of weak variations.
Supply: Wordfence
Wordfence’s observations based mostly on the assault knowledge point out that researchers say that risk actors are internet hosting on GitHub a malicious plugin in a .ZIP archive referred to as ‘up’.
The archive incorporates obfuscated scripts that enable importing, downloading, and deleting information, and altering permissions. One of many scripts that’s protected with a password, disguised as a part of the All in One search engine optimization plugin, is used to routinely log within the attacker as an administrator.
The attackers use these instruments to take care of persistence, steal or drop information, execute instructions, or sniff personal knowledge dealt with by the location.
When attackers can’t immediately attain a full admin backdoor through the put in bundle, they typically set up the a weak ‘wp-query-console’ plugin that may be leveraged for unauthenticated RCE.
Wordfence has listed a number of IP addresses that drive excessive volumes of those malicious requests, which may help create defenses in opposition to these assaults.
As an indicator of compromise, the researchers say that directors ought to search for /wp-json/gutenkit/v1/install-active-plugin and /wp-json/hc/v1/themehunk-import requests within the website entry logs.
They need to additionally test the directories /up, /background-image-cropper, /ultra-seo-processor-wp, /oke, and /wp-query-console, for any rogue entries.
Administrator are really useful to maintain all plugins on their web sites up to date to the newest model obtainable from the seller.
46% of environments had passwords cracked, practically doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and knowledge exfiltration developments.
