Mass Attack: Hackers Hit WordPress Plugins With 8.7M Exploits in 48 Hours

A widespread exploitation campaign has descended upon WordPress sites: attackers are targeting installations that use the GutenKit and Hunk Companion plugins, which harbor critical flaws permitting arbitrary code execution on vulnerable servers. Wordfence, a WordPress security firm, recorded 8.7 million attack attempts over just two days — October 8 and 9.

The campaign leverages three high-severity vulnerabilities — CVE-2024-9234, CVE-2024-9707, and CVE-2024-11972 — each bearing a CVSS score of 9.8. The first, CVE-2024-9234, affects the GutenKit plugin (over 40,000 active installs): a flaw in its REST endpoint allows an unauthenticated adversary to install arbitrary plugins remotely. The other two, CVE-2024-9707 and CVE-2024-11972, reside in the themehunk-import component of Hunk Companion (approximately 8,000 sites). They likewise stem from missing access checks on a REST endpoint, enabling attackers to install arbitrary — potentially malicious — plugins. Once an auxiliary plugin is deployed, an intruder can execute commands on the server and achieve remote code execution (RCE).

CVE-2024-9234 affects GutenKit versions 2.1.0 and earlier. The Hunk Companion flaws manifest in versions 1.8.4 and 1.8.5, and in all preceding releases. Patches were released nearly a year ago — GutenKit 2.1.1 (October 2024) and Hunk Companion 1.9.0 (December 2024) — yet many sites continue to run outdated, vulnerable builds.

According to Wordfence, attackers are distributing a malicious archive named up.zip via GitHub; the archive contains a disguised plugin and encrypted scripts for uploading, deleting, and modifying files, as well as manipulating permissions. One password-protected file, masquerading as an All in One SEO component, is used to automatically log the attacker in as an administrator.

Once a plugin is implanted, adversaries gain persistent control of the site: they can exfiltrate or modify data, execute system commands, and harvest confidential information processed by the application. When installing a full backdoor proves difficult, attackers fall back to deploying wp-query-console, a plugin with its own unauthenticated RCE that serves the same malicious ends.

Wordfence has published a list of IP addresses responsible for the bulk of the malicious traffic; these can be used to configure server-level filters. Indicators of compromise include requests to the REST endpoints:

• /wp-json/gutenkit/v1/install-active-plugin
• /wp-json/hc/v1/themehunk-import

Inspect web directories such as /up, /background-image-cropper, /ultra-seo-processor-wp, /oke, and /wp-query-console — unknown files in these locations often betray compromise.

Crucially, the only reliable defense is timely patching: update all plugins promptly and run versions in which the developers have fixed these vulnerabilities.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy