Hackers Exploit Outdated WordPress Plugins in Massive Attack Wave

Ethan Cole
Ethan Cole I’m Ethan Cole, a digital journalist based in New York. I write about how technology shapes culture and everyday life — from AI and machine learning to cloud services, cybersecurity, hardware, mobile apps, software, and Web3. I’ve been working in tech media for over 7 years, covering everything from big industry news to indie app launches. I enjoy making complex topics easy to understand and showing how new tools actually matter in the real world. Outside of work, I’m a big fan of gaming, coffee, and sci-fi books. You’ll often find me testing a new mobile app, playing the latest indie game, or exploring AI tools for creativity.
3 min read 38 views
Hackers Exploit Outdated WordPress Plugins in Massive Attack Wave

A new global cyberattack is targeting WordPress websites through vulnerabilities in the GutenKit and Hunk Companion plugins — flaws that open the door to remote code execution (RCE).

Security company Wordfence reported blocking 8.7 million attack attempts on its customers’ websites in just two days, October 8–9, revealing the massive scale of this exploitation wave.

Critical Vulnerabilities in Popular Plugins

Researchers identified three critical vulnerabilitiesCVE-2024-9234, CVE-2024-9707, and CVE-2024-11972 — all rated 9.8 CVSS.

  • CVE-2024-9234 impacts GutenKit (≈40,000 installs) and allows unauthenticated users to install arbitrary plugins via an exposed REST endpoint.
  • CVE-2024-9707 and CVE-2024-11972 affect Hunk Companion (≈8,000 installs), both caused by missing authorization in the themehunk-import endpoint.

These flaws can be chained to install further malicious extensions, giving attackers full control over a site.

Exploitation and Payload Delivery

Wordfence analysts found that threat actors are hosting a malicious plugin named “up” on GitHub. The ZIP archive hides obfuscated PHP scripts capable of uploading, deleting, or modifying files on compromised sites.

One of these scripts masquerades as a component of the All in One SEO plugin and contains a password-protected backdoor, granting attackers administrator privileges. Once inside, they can maintain persistence, deploy web shells, or exfiltrate data.

When attackers fail to gain full admin access, they often resort to the vulnerable wp-query-console plugin for unauthenticated RCE — using older, neglected WordPress extensions to regain entry points even after cleanup.

Indicators of Compromise

Administrators should monitor access logs for suspicious REST API calls such as:

  • /wp-json/gutenkit/v1/install-active-plugin
  • /wp-json/hc/v1/themehunk-import

They should also check directories like /up, /background-image-cropper, /ultra-seo-processor-wp, /oke, and /wp-query-console for rogue entries or newly added files.

Wordfence has published IP addresses tied to the campaign that site owners can use to block malicious traffic via firewall rules.

For additional insights on proactive firewall and DNS filtering, see Google Cloud DNS Armor Targets Command-and-Control Malware Communications, which details how cloud-layer protection can prevent inbound exploit traffic before it reaches vulnerable plugins.

Patching and Prevention

While fixes for these vulnerabilities were released almost a year ago — GutenKit 2.1.1 (October 2024) and Hunk Companion 1.9.0 (December 2024) — thousands of sites still run outdated versions.

Security experts recommend:

  • Keeping all plugins up to date;
  • Removing unused or abandoned ones;
  • Running regular integrity checks on plugin directories;
  • Implementing automated patch management within the CMS.

To minimize exposure, WordPress administrators should also monitor for new plugin uploads and verify update authenticity. Modern DevSecOps workflows can help automate this — as described in HashiCorp Warns Traditional Secret Scanning Tools Can’t Keep Up With Modern Development, which emphasizes real-time detection and remediation across distributed codebases.

Share this article: