Cybercriminals have initiated a widespread exploitation campaign, targeting critical vulnerabilities within two widely-utilized WordPress plugins: GutenKit and Hunk Companion. This brazen attack endangers hundreds of thousands of websites on a global scale.
These vulnerabilities—uncovered in September and October of 2024—have reemerged as an imminent threat in October 2025, highlighting the enduring peril posed by unpatched installations.
The attack vectors exploit improper permission checks within REST API endpoints, enabling unauthenticated assailants to install nefarious plugins and execute remote code devoid of any authentication or user intervention.
GutenKit, which boasts over 40,000 active installations, alongside Hunk Companion, with around 8,000 active users, reflects a considerable attack surface given their extensive adoption.
Analysts from the Wordfence Threat Response Unit reported that mass exploitation commenced anew on October 8, 2025—roughly one year following the initial disclosure—underscoring the ongoing utilization of these critical flaws by malicious actors for orchestrating large-scale compromise operations.
Since the implementation of protective regulations, the Wordfence Firewall has thwarted more than 8,755,000 exploitation attempts aimed at these vulnerabilities.
The threat landscape delineates a sophisticated attack infrastructure, employing a myriad of malevolent payloads designed for persistence and lateral mobility.
Researchers from the Wordfence Threat Response Unit have revealed that perpetrators disseminate heavily obfuscated backdoors, file managers, and webshells capable of mass defacement, network reconnaissance, and terminal access.
These nefarious packages manipulate the permission callback mechanism erroneously set to return true, converting an otherwise legitimate plugin installation function into a weaponized entry point for systemic compromise.
Exploitation of REST API Permission Mechanism
The core vulnerability arises from a critical misconfiguration in REST API endpoint registration. Both plugins employ permission callbacks that indiscriminately permit unauthenticated requests by consistently returning true values, effectively nullifying access controls.
In GutenKit, the vulnerable endpoint links to the install_and_activate_plugin_from_external() function via the gutenkit/v1/install-active-plugin endpoint. Meanwhile, Hunk Companion exposes akin functionality through hc/v1/hc/v1/themehunk-import.
This exploitation mechanism operates by issuing POST requests containing arbitrary plugin URLs hosted on external repositories, typically GitHub or domains controlled by attackers.
Upon the arrival of an unauthenticated request at these endpoints, the server autonomously downloads and extracts the specified ZIP archive directly into wp-content/plugins, circumventing any validation of plugin authenticity or code integrity.
Wordfence Threat Response Unit analysts discerned that the malicious packages encompass obfuscated PHP scripts sporting All in One SEO plugin headers to avoid rudimentary detection, alongside base64-encoded file managers and PDF headers disguised as backdoors, facilitating comprehensive system compromise.
This installation process unfolds automatically, activating malicious code instantaneously and affording attackers direct command execution capabilities for the installation of additional malware, alteration of website content, and establishment of persistent access mechanisms.
| CVE ID | Plugin | Affected Versions | Patched Version | CVSS Score | Vulnerability Type | Bounty |
|---|---|---|---|---|---|---|
| CVE-2024-9234 | GutenKit | ≤ 2.1.0 | 2.1.1 | 9.8 (Critical) | Unauthenticated Arbitrary File Upload | $716.00 |
| CVE-2024-9707 | Hunk Companion | ≤ 1.8.4 | 1.9.0 | 9.8 (Critical) | Missing Authorization – Arbitrary Plugin Installation | $537.00 |
| CVE-2024-11972 | Hunk Companion | ≤ 1.8.5 | 1.9.0 | 9.8 (Critical) | Missing Authorization – Plugin Installation Bypass | N/A |
It is imperative for website administrators to promptly update GutenKit to version 2.1.1 and Hunk Companion to version 1.9.0. Additionally, they should scrutinize the wp-content/plugins and wp-content/upgrade directories for any suspicious installations.
Monitoring access logs for requests directed to /wp-json/gutenkit/v1/install-active-plugin and /wp-json/hc/v1/themehunk-import endpoints is crucial, alongside implementing firewall rules to confine API access solely to authenticated users.
Source link: Cybersecuritynews.com.
