Mass Exploitation of WordPress Plugins GutenKit and Hunk Companion Puts Thousands of Sites at Risk

Mass Exploitation of WordPress Plugins GutenKit and Hunk Companion Puts Thousands of Sites at Risk

Alex Cipher's Profile Pictire Alex Cipher 5 min read

A surge in cyberattacks has put thousands of WordPress sites at risk, as hackers exploit critical flaws in popular plugins like GutenKit and Hunk Companion. These vulnerabilities, tracked as CVE-2024-9234, CVE-2024-9707, and CVE-2024-11972, have enabled attackers to remotely install malicious plugins, execute arbitrary code, and seize control of targeted websites. The scale of the threat is staggering: Wordfence, a leading WordPress security firm, reported blocking 8.7 million attack attempts in just two days in October 2025 (BleepingComputer).

What makes these attacks especially concerning is the use of obfuscated, password-protected scripts disguised as legitimate plugin components. These scripts allow attackers to maintain persistence, steal sensitive data, and even masquerade as site administrators. Despite the release of patches—GutenKit version 2.1.1 in October 2024 and Hunk Companion version 1.9.0 in December 2024—many sites remain vulnerable due to delayed updates or lack of awareness. This wave of exploitation underscores the urgent need for proactive security measures and regular plugin maintenance (BleepingComputer).

Exploitation of Vulnerabilities in GutenKit and Hunk Companion Plugins

Overview of Vulnerabilities

The GutenKit and Hunk Companion plugins for WordPress have been identified as having critical vulnerabilities that are being actively exploited by hackers. These vulnerabilities are tracked as CVE-2024-9234, CVE-2024-9707, and CVE-2024-11972, each with a critical CVSS score of 9.8. The vulnerabilities allow attackers to execute remote code, install arbitrary plugins, and potentially gain unauthorized access to WordPress sites.

CVE-2024-9234: GutenKit Plugin

CVE-2024-9234 is an unauthenticated REST-endpoint vulnerability in the GutenKit plugin, which has approximately 40,000 installations. This flaw permits attackers to install arbitrary plugins without needing authentication. The vulnerability is present in GutenKit version 2.1.0 and earlier, with a fix released in version 2.1.1 in October 2024. Despite the availability of a patch, many sites continue to run vulnerable versions, making them susceptible to attacks (BleepingComputer).

CVE-2024-9707 and CVE-2024-11972: Hunk Companion Plugin

The Hunk Companion plugin is affected by two vulnerabilities: CVE-2024-9707 and CVE-2024-11972. Both are missing-authorization vulnerabilities in the themehunk-import REST endpoint. These vulnerabilities can lead to the installation of arbitrary plugins and remote code execution. CVE-2024-9707 affects Hunk Companion version 1.8.4 and older, while CVE-2024-11972 impacts version 1.8.5 and previous versions. A patch was made available in version 1.9.0, released in December 2024 (BleepingComputer).

Attack Campaigns and Methods

Hackers have launched a widespread exploitation campaign targeting WordPress websites using the vulnerable GutenKit and Hunk Companion plugins. WordPress security firm Wordfence reported blocking 8.7 million attack attempts against its customers over just two days, October 8 and 9, 2025. The campaign leverages the aforementioned vulnerabilities to achieve remote code execution (RCE) on targeted sites (BleepingComputer).

Malicious Plugins and Tools

Attackers are hosting a malicious plugin on GitHub in a .ZIP archive called ‘up’. The archive contains obfuscated scripts that allow uploading, downloading, and deleting files, as well as changing permissions. One script, disguised as a component of the All in One SEO plugin, is password-protected and used to automatically log in the attacker as an administrator. These tools enable attackers to maintain persistence, steal or drop files, execute commands, or sniff private data handled by the site (BleepingComputer).

Indicators of Compromise

Administrators should be vigilant for specific indicators of compromise to detect potential exploitation of these vulnerabilities. They should examine site access logs for requests to /wp-json/gutenkit/v1/install-active-plugin and /wp-json/hc/v1/themehunk-import. Additionally, directories such as /up, /background-image-cropper, /ultra-seo-processor-wp, /oke, and /wp-query-console should be checked for any rogue entries. These indicators can help identify if a site has been compromised (BleepingComputer).

Mitigation and Prevention Strategies

To mitigate the risk of exploitation, it is crucial for WordPress site administrators to keep all plugins updated to the latest versions available from the vendors. This includes updating GutenKit to version 2.1.1 and Hunk Companion to version 1.9.0, where the vulnerabilities have been patched. Regularly monitoring site access logs and directories for indicators of compromise is also recommended. Implementing strong security measures, such as using firewalls and intrusion detection systems, can further protect against these attacks (BleepingComputer).

Broader Implications and Future Outlook

The exploitation of vulnerabilities in WordPress plugins like GutenKit and Hunk Companion highlights the ongoing challenges in maintaining website security. As attackers continue to target outdated and vulnerable plugins, it underscores the importance of timely updates and robust security practices. The increasing sophistication of attack methods, such as the use of obfuscated scripts and malicious plugins, necessitates continuous vigilance and adaptation of security strategies to safeguard websites against emerging threats (BleepingComputer).

Final Thoughts

The mass exploitation of outdated WordPress plugins like GutenKit and Hunk Companion is a stark reminder that even the most widely used platforms are only as secure as their weakest link. Attackers are becoming more sophisticated, leveraging obfuscated malware and exploiting slow patch adoption to compromise sites at scale. For website administrators, the lesson is clear: prioritize timely updates, monitor for unusual activity, and implement layered security defenses. As cyber threats continue to evolve, staying informed and vigilant is the best defense against the next wave of attacks (BleepingComputer).

References

Related Articles