Menace actors have launched a major mass exploitation marketing campaign focusing on essential vulnerabilities in two well-liked WordPress plugins, GutenKit and Hunk Companion, affecting tons of of hundreds of internet sites globally.
These vulnerabilities, found in September and October 2024, have resurfaced as an lively risk in October 2025, demonstrating the persistent hazard of unpatched installations.
The assault vectors leverage improper permission checks in REST API endpoints, permitting unauthenticated attackers to put in malicious plugins and obtain distant code execution with out authentication or consumer intervention.
The GutenKit plugin, with over 40,000 lively installations, and Hunk Companion, with roughly 8,000 lively customers, signify vital assault surfaces as a result of their widespread adoption.
Wordfence Menace Response Unit analysts recognized that attackers started mass exploitation once more on October eighth, 2025, roughly one 12 months after preliminary disclosure, indicating risk actors proceed leveraging these essential flaws for large-scale compromise operations.
The Wordfence Firewall has already blocked greater than 8,755,000 exploit makes an attempt focusing on these vulnerabilities since protecting guidelines have been deployed.
The risk panorama reveals organized assault infrastructure with a number of malicious payloads designed for persistence and lateral motion.
Wordfence Menace Response Unit researchers famous that attackers distribute closely obfuscated backdoors, file managers, and webshells able to mass defacement, community reconnaissance, and terminal entry.
These malicious packages exploit the permission callback mechanism set to return true, reworking in any other case reliable plugin set up performance right into a weaponized entry level for system compromise.
REST API Permission Mechanism Exploitation
The elemental vulnerability stems from a essential misconfiguration in REST API endpoint registration. Each plugins implement permission callbacks that unconditionally allow unauthenticated requests by means of returning true values, successfully disabling entry controls solely.
In GutenKit, the weak endpoint routes to the install_and_activate_plugin_from_external() operate through the gutenkit/v1/install-active-plugin endpoint, whereas Hunk Companion exposes comparable performance by means of hc/v1/themehunk-import.
The exploitation mechanism works by sending POST requests with arbitrary plugin URLs hosted on exterior repositories, usually GitHub or attacker-controlled domains.
When an unauthenticated request reaches these endpoints, the server downloads and extracts the required ZIP archive immediately into wp-content/plugins with out validating plugin authenticity or code integrity.
Wordfence Menace Response Unit analysts found that malicious packages include obfuscated PHP scripts with All in One website positioning plugin headers to evade primary detection, alongside base64-encoded file managers and PDF-header disguised backdoors enabling full system compromise.
The set up course of executes mechanically, activating malicious code instantly and offering attackers direct command execution capabilities for putting in further malware, modifying web site content material, and establishing persistent entry mechanisms.
CVE IDPluginAffected VersionsPatched VersionCVSS ScoreVulnerability TypeBountyCVE-2024-9234GutenKit≤ 2.1.02.1.19.8 (Essential)Unauthenticated Arbitrary File Add$716.00CVE-2024-9707Hunk Companion≤ 1.8.41.9.09.8 (Essential)Lacking Authorization – Arbitrary Plugin Set up$537.00CVE-2024-11972Hunk Companion≤ 1.8.51.9.09.8 (Essential)Lacking Authorization – Plugin Set up BypassN/A
Web site directors ought to instantly replace GutenKit to model 2.1.1 and Hunk Companion to model 1.9.0. Evaluate wp-content/plugins and wp-content/improve directories for suspicious installations.
Monitor entry logs for requests to /wp-json/gutenkit/v1/install-active-plugin and /wp-json/hc/v1/themehunk-import endpoints, and implement firewall guidelines to limit API entry to authenticated customers solely.
Comply with us on Google Information, LinkedIn, and X to Get Extra Immediate Updates, Set CSN as a Most popular Supply in Google.
