In early October, Wordfence, which specializes in WordPress security, discovered a large-scale exploitation campaign had resurfaced. The attack weaponized the long-standing capability-check flaws in two WordPress plugins:
- GutenKit (CVE-2024-9234)
- Hunk Companion (CVE-2024-9707 and CVE-2024-11972)
“This isn't a zero-day, it's automation exploiting known vulnerabilities at scale,” said Christopher Jess, Senior R&D Manager at Black Duck, a Massachusetts-based provider of application security solutions. “The GutenKit and Hunk Companion flaws let unauthenticated attackers install or upload plugins, which is a short hop to full site takeover once a secondary payload lands.”
The attackers installed and activated arbitrary plugins on unpatched sites to abuse missing permission checks on REST endpoints. From there, they uploaded plugin ZIPs and triggered installs. They then used those installers to gain persistence and remote code execution via follow-on payloads.
The result: millions of exploit attempts across the globe. End-users also received warnings, reminding them to harden simple REST API configurations and to follow patch hygiene best practices.
Firewall Blocks Nearly Nine Million Exploit Attempts in Two Weeks
As this attack demonstrates, plugin supply-chain risks exist across the WordPress ecosystem.
“These are critical vulnerabilities, and while patches are available, many organizations may still be exposed,” said Randolph Barr, Chief Information Security Officer at Cequence Security, a San Francisco-based API security and bot management provider. “What often makes this type of incident risky is that WordPress environments are frequently managed by marketing or communications teams rather than IT or security.”
The mass exploitation of the plugins began on October 8, about one year after Wordfence had received submissions through its bug bounty program for arbitrary plugin installation vulnerabilities in GutenKit and Hunk Companion. Together, these plugins have more than 40K and 8K active installations, respectively.
The vulnerabilities make it possible for unauthenticated threat actors to install and activate arbitrary plugins, which can be leveraged to achieve remote code execution. Wordfence records indicate that for the recent attack, its firewall had blocked more than 8.7 million exploit attempts targeting these vulnerabilities in the first two weeks.
Vulnerability, Attack Chain and Payload Breakdown
In the GutenKit case, attackers disguised arbitrary file uploads as plugins. With Hunk Companion, missing capability checks and bypass flaws enabled unauthorized plugin installs.
Capability checks, which secure REST endpoints, enable security teams to evaluate security postures, programs, processes, and technology against industry standards. This allows security teams to identify weaknesses, measure security control effectiveness, manage IT risks, and create a roadmap for mitigating vulnerabilities.
Two weeks into the attack campaign, Wordfence had identified these domains as hosting the zip files used by attackers as remote sources for plugin installation:
- ls.fatec[.]info
- dari-slideshow[.]ru
- zarjavelli[.]ru
- korobushkin[.]ru
- drschischka[.]at
- dpaxt[.]io
- cta.imasync[.]com
- catbox[.]moe (file sharing website)
To invade these domains, attackers chained vulnerabilities to gain control by first sending crafted REST API calls. They then uploaded and activated a malicious plugin. This allowed them to create admin users, deploy backdoors, modify files, and deliver malicious payloads.
As an example of the type of payloads used in these attacks, Wordfence described how a malicious zip file included a password-protected script with All in One SEO headers. This payload automatically logged in an attacker as an administrator.
Another payload was a base64_encoded file management script that facilitates file upload and deletion but also performs other tasks, such as changing file permissions. Attackers could use this script to zip folders and then download and view files.
A third payload type—a file named vv.php—starts with a valid PDF header but contains malicious and obfuscated PHP code. It executes several function calls, including string reversals, decompression, and conversion steps.
Preparing for Future Attacks
Secure plugin design and proper privilege validation could have prevented these attacks. To set up sufficient defenses, admins need to inspect endpoint logs and review plugin inventories. They also need to watch for the signs of compromise:
- New plugin folders
- Unauthorized admin accounts
- Altered timestamps
- Suspicious REST API traffic
It’s also important to deploy these security measures:
- Update or remove the affected plugins: (GutenKit ≥2.1.1; Hunk Companion ≥1.8.6)
- Delete unknown or suspicious plugins
- Rotate admin and API credentials
- Restore from clean backups and enable WAF protections
- Implement routine plugin audits and capability checks for REST endpoints
From the software vendor perspective, it’s critical to integrate automated capability-check testing into development workflows and use nonces for REST actions.
The Importance of Updates and Patching
This attack campaign demonstrates how legacy flaws can resurface if users neglect application updates. It also points to the criticality of keeping software supply chain ecosystems secure and following patch hygiene best practices.
“The fact that critical vulnerabilities in these open-source plugins for one of the most popular content management systems are being mass-exploited—a full year after discovery and patching—highlights a troubling industry reality,” said Vineeta Sangaraju, a Security Solutions Engineer at Black Duck. “Open source is still treated as set and forget.”
No doubt, automation and convenience features like install plugin endpoints must be tightly controlled to avoid becoming persistent entry points for attackers. Organizations must treat WordPress plugin management as part of broader vulnerability lifecycle management, not an afterthought.
