Full Report
A widespread exploitation campaign is targeting WordPress websites with GutenKit and Hunk Companion plugins vulnerable to critical-severity, old security issues that can be used to achieve remote code execution (RCE). [...]
Analysis Summary
# Vulnerability: Mass Exploitation Campaign Targeting Arbitrary Plugin Installation in WordPress Plugins
## CVE Details
- CVE ID: CVE-2024-9234, CVE-2024-9707, CVE-2024-11972
- CVSS Score: 9.8 (Critical)
- CWE: Missing Authorization / Insecure Direct Object Reference (Implied by REST endpoint flaws leading to arbitrary installation)
## Affected Systems
- Products: WordPress plugins GutenKit, Hunk Companion
- Versions:
- GutenKit: 2.1.0 and earlier
- Hunk Companion: 1.8.4 and older (for CVE-2024-9707)
- Hunk Companion: 1.8.5 and previous versions (for CVE-2024-11972)
- Configurations: Any WordPress installation running the specified vulnerable plugin versions.
## Vulnerability Description
This summary covers three critical vulnerabilities being actively exploited in a mass campaign:
1. **CVE-2024-9234 (GutenKit):** An unauthenticated flaw in a REST endpoint that allows attackers to install arbitrary plugins without needing any credentials.
2. **CVE-2024-9707 & CVE-2024-11972 (Hunk Companion):** Missing authorization vulnerabilities within the `themehunk-import` REST endpoint of the Hunk Companion plugin. When leveraged by an authenticated attacker, these allow the installation of arbitrary plugins.
The installation of an arbitrary plugin can subsequently lead to Remote Code Execution (RCE) on the target WordPress site, potentially through a secondary payload installed via the initial plugin installation.
## Exploitation
- Status: Exploited in the wild (Widespread exploitation campaign observed by Wordfence)
- Complexity: Low/Medium (CVE-2024-9234 is unauthenticated; other flaws require authentication, but are being targeted in mass)
- Attack Vector: Network
## Impact
- Confidentiality: High (Attackers can steal data or sniff private data via backdoors)
- Integrity: High (Attackers can execute commands, change files, and install malicious plugins/backdoors)
- Availability: High (Disruption via command execution or site compromise)
## Remediation
### Patches
- **GutenKit:** Versions **2.1.1** and later (Released October 2024).
- **Hunk Companion:** Versions **1.9.0** and later (Released December 2024).
*Note: Users must update immediately as fixes have been available for several months.*
### Workarounds
- Deploy Web Application Firewall (WAF) rules or security tools (like Wordfence) to block traffic targeting the known vulnerable REST endpoints.
- Disable the affected plugins immediately if updating is not possible.
## Detection
- **Indicators of Compromise (IOCs):**
- Look for excessive requests to the following paths in access logs:
- `/wp-json/gutenkit/v1/install-active-plugin`
- `/wp-json/hc/v1/themehunk-import`
- Check for rogue directories/folders: `_/up_`, `_/background-image-cropper_`, `_/ultra-seo-processor-wp_`, `_/oke_`, and `_/wp-query-console_`.
- **Detection Methods and Tools:**
- Monitor web server access logs for suspicious requests to the endpoints listed above.
- Use WordPress security scanning tools to check plugin versions.
- Threat actors are observed deploying malicious plugins delivered in `.ZIP` files named 'up' that contain obfuscated scripts to establish persistence, upload/download files, and enable administrator logins.
## References
- Vendor Advisories: Direct vendor advisories are not explicitly listed, but fixes were released by the respective plugin developers in Oct/Dec 2024.
- Relevant links - defanged:
- hxxps://www.wordfence.com/blog/2025/10/mass-exploit-campaign-targeting-arbitrary-plugin-installation-vulnerabilities/
- hxxps://www.cve.org/CVERecord?id=CVE-2024-9234
- hxxps://www.cve.org/CVERecord?id=CVE-2024-9707
- hxxps://www.cve.org/CVERecord?id=CVE-2024-11972