A large-scale exploitation campaign is targeting WordPress websites using outdated versions of the GutenKit and Hunk Companion plugins. Attackers are exploiting three critical vulnerabilities (CVE-2024-9234, CVE-2024-9707, and CVE-2024-11972) that allow unauthenticated or low-privileged users to install arbitrary plugins. This provides a pathway to achieve remote code execution on the compromised sites.
WordPress security firm Wordfence reported blocking over 8.7 million attack attempts in just two days. Although patches for these flaws have been available since late 2024, many sites remain vulnerable. The attackers deploy a malicious plugin from GitHub, which contains obfuscated scripts for file manipulation and a backdoor that grants them administrator access.
If the initial backdoor fails, they often install another vulnerable plugin to gain unauthenticated code execution. Site administrators are urged to update their plugins immediately and monitor access logs for suspicious requests to specific REST API endpoints. Checking for unauthorized directories and maintaining rigorous update practices are critical defenses against this ongoing threat.
Read more...