Exploitation Campaign Targeting Vulnerable WordPress Plugins
A significant exploitation initiative is currently targeting WordPress platforms utilizing the GutenKit and Hunk Companion plugins, which are susceptible to critical security vulnerabilities that may facilitate remote code execution (RCE).
According to security specialists at Wordfence, an astounding 8.7 million attack attempts were thwarted over a mere span of two days, specifically on October 8 and 9.
This campaign capitalizes on three distinct vulnerabilities identified as CVE-2024-9234, CVE-2024-9707, and CVE-2024-11972, all classified as critical (CVSS 9.8).
CVE-2024-9234 represents an unauthenticated REST endpoint vulnerability inherent in the GutenKit plugin, which boasts 40,000 installations, allowing unauthorized installation of arbitrary plugins.
Both CVE-2024-9707 and CVE-2024-11972 stem from missing authorization flaws found in the themehunk-import REST endpoint of the Hunk Companion plugin, which has 8,000 installs, also enabling installation of arbitrary plugins.
Authenticated attackers may exploit these vulnerabilities to introduce additional compromised plugins, thereby enabling remote code execution.
- CVE-2024-9234 affects GutenKit versions 2.1.0 and earlier.
- CVE-2024-9707 impacts Hunk Companion versions 1.8.4 and earlier.
- CVE-2024-11972 affects Hunk Companion versions 1.8.5 and earlier.
Patches for these vulnerabilities were released with GutenKit version 2.1.1 in October 2024 and Hunk Companion version 1.9.0 in December 2024. Despite these fixes being available for nearly a year, numerous websites persist in utilizing outdated, vulnerable versions.
Attack Insights
Analysis from Wordfence indicates that researchers have identified a malicious plugin hosted on GitHub, packaged within a ZIP archive labeled ‘up’.
This archive encompasses obfuscated scripts that facilitate file uploading, downloading, deletion, and permission alterations. Among these, one script, concealed as part of the All in One SEO plugin and protected by a password, enables automatic administrative access for the attacker.
These tools provide attackers the ability to maintain persistence, siphon files, execute commands, or intercept sensitive data handled on the site.
In instances where a direct administrative backdoor is unachievable via the installed package, attackers frequently resort to deploying a vulnerable ‘wp-query-console’ plugin, which can be exploited for unauthenticated RCE.
Wordfence has compiled a list of several IP addresses that generate considerable volumes of malicious requests, useful for constructing defenses against such attacks.
Prevention and Monitoring Recommendations
As a precautionary measure, network administrators are urged to monitor site access logs for occurrences of /wp-json/gutenkit/v1/install-active-plugin and /wp-json/hc/v1/themehunk-import.
Additionally, administrators should inspect the directories /up, /background-image-cropper, /ultra-seo-processor-wp, /oke, and /wp-query-console for any unauthorized entries.
To mitigate risks, it is highly recommended that all plugins be updated to their latest versions as provided by the vendors.
Source link: Bleepingcomputer.com.
