A widespread exploitation marketing campaign is concentrating on WordPress web sites with GutenKit and Hunk Companion plugins susceptible to critical-severity, previous safety points that can be utilized to attain distant code execution (RCE).
WordPress safety agency Wordfence says that it blocked 8.7 million assault makes an attempt towards its clients in simply two days, October 8 and 9.
The marketing campaign expoits three flaws, tracked as CVE-2024-9234, CVE-2024-9707, and CVE-2024-11972, all rated crucial (CVSS 9.8).
CVE-2024-9234 is an unauthenticated REST-endpoint flaw within the GutenKit plugin with 40,000 installs that permits putting in arbitrary plugins with out authentication.
CVE-2024-9707 and CVE-2024-11972 are missing-authorization vulnerabilities within the themehunk-import REST endpoint of the Hunk Companion plugin (8,000 installs) which may additionally result in putting in arbitrary plugins.
An authenticated attacker can leverage the vulnerabilities to introduce one other susceptible plugin that permits distant code execution.
- CVE-2024-9234 impacts GutenKit 2.1.0 and earlier
- CVE-2024-9707 impacts Hunk Companion 1.8.4 and older
- CVE-2024-11972 impacts Hunk Companion 1.8.5 and former variations
Fixes for the three vulnerabilities turned out there in Gutenkit 2.1.1, launched in October 2024, and Hunk Companion 1.9.0, launched in December 2024. Nonetheless, regardless of the seller fixing them nearly a 12 months in the past, many web sites proceed to make use of susceptible variations.
Supply: Wordfence
Wordfence’s observations based mostly on the assault knowledge point out that researchers say that risk actors are internet hosting on GitHub a malicious plugin in a .ZIP archive referred to as ‘up’.
The archive comprises obfuscated scripts that enable importing, downloading, and deleting information, and altering permissions. One of many scripts that’s protected with a password, disguised as a part of the All in One search engine marketing plugin, is used to routinely log within the attacker as an administrator.
The attackers use these instruments to keep up persistence, steal or drop information, execute instructions, or sniff non-public knowledge dealt with by the location.
When attackers can not instantly attain a full admin backdoor by way of the put in bundle, they usually set up the a susceptible ‘wp-query-console’ plugin that may be leveraged for unauthenticated RCE.
Wordfence has listed a number of IP addresses that drive excessive volumes of those malicious requests, which may also help create defenses towards these assaults.
As an indicator of compromise, the researchers say that directors ought to search for /wp-json/gutenkit/v1/install-active-plugin and /wp-json/hc/v1/themehunk-import requests within the website entry logs.
They need to additionally test the directories /up, /background-image-cropper, /ultra-seo-processor-wp, /oke, and /wp-query-console, for any rogue entries.
Administrator are advisable to maintain all plugins on their web sites up to date to the most recent model out there from the seller.
46% of environments had passwords cracked, practically doubling from 25% final 12 months.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and knowledge exfiltration tendencies.
