Three critical-severity vulnerabilities within the GutenKit and Hunk Companion WordPress plugins have been exploited in a brand new marketing campaign, Defiant warns.
Mass exploitation of the safety defects began on October 8, with roughly 9 million exploit makes an attempt blocked by the WordPress safety agency over a two-week interval, and follows beforehand recognized large-scale campaigns focusing on the identical bugs.
GutenKit variations previous to 2.1.1 are affected by CVE-2024-9234, a lacking functionality test concern resulting in arbitrary file uploads. The flaw permits attackers to put in and activate arbitrary plugins or add information masquerading as plugins.
Hunk Companion variations previous to 1.8.4 and 1.8.5 are weak to unauthorized plugin set up/activation because of two lacking functionality test vulnerabilities within the ‘themehunk-import’ REST API endpoint.
Tracked as CVE-2024-9707 and CVE-2024-11972, the issues enable unauthenticated attackers to put in plugins and obtain distant code execution via different weak plugins.
As a part of the current assaults focusing on the three safety defects, the risk actor has distributed a malicious ZIP file posing as a plugin, which is hosted on GitHub.
The file accommodates a number of scripts that act as backdoors, and makes an attempt to ascertain persistence. A script within the archive permits attackers to robotically log in as directors.
The ZIP additionally consists of scripts that change file permissions, permitting the attackers to obtain and look at information, and to archive whole folders into ZIP information. Different file add/supervisor scripts are additionally included within the code.Commercial. Scroll to proceed studying.
One other file within the archive is a software able to mass defacement, community sniffing, and file administration. It additionally has distant code execution performance, permitting the attackers to deploy further payloads.
GutenKit and Hunk Companion have over 40,000 and eight,000 lively installations, respectively. Though the exploited vulnerabilities had been patched over a yr in the past, they proceed to characterize engaging targets for risk actors, because the recent marketing campaign reveals.
Web site directors are suggested to replace their plugins to the newest, patched variations, and to evaluation the indications of compromise (IOCs) shared by Defiant to establish potential compromise.
Associated: Flaw Permitting Web site Takeover Present in WordPress Plugin With 400k Installations
Associated: Hackers Inject Malware Into Gravity Varieties WordPress Plugin
Associated: Forminator WordPress Plugin Vulnerability Exposes 400,000 Web sites to Takeover
Associated: Motors Theme Vulnerability Exploited to Hack WordPress Web sites
