Wordfence has observed a large-scale, automated campaign abusing critical vulnerabilities in the WordPress plugins GutenKit and Hunk Companion. Over a two-day window, the company’s web application firewall blocked approximately 8.7 million malicious requests, indicating broad, scripted exploitation against unpatched sites.
Critical CVEs: Unauthenticated REST API to Remote Code Execution
The threat actors are chaining three CVSS 9.8 vulnerabilities—CVE-2024-9234, CVE-2024-9707, and CVE-2024-11972—to achieve remote code execution (RCE). In simple terms, RCE allows attackers to run arbitrary code on your server, often leading to full site compromise. The root cause across these bugs is broken authorization in REST API endpoints.
CVE-2024-9234 affects GutenKit (about 40,000 active installs). Versions ≤ 2.1.0 expose an unauthenticated REST endpoint that lets attackers install arbitrary plugins without permission checks.
CVE-2024-9707 and CVE-2024-11972 impact the Hunk Companion plugin (around 8,000 installs) via the themehunk-import REST route, similarly enabling unauthorized plugin installation. Versions ≤ 1.8.4 are affected by CVE-2024-9707 and versions ≤ 1.8.5 by CVE-2024-11972.
Attack Chain: From REST Abuse to Persistent Admin Takeover
After initial access, adversaries fetch a ZIP archive from GitHub containing a malicious plugin named “up”. This plugin bundles obfuscated PHP designed for file upload/download, deletion, and permission changes, alongside a module that impersonates All in One SEO. The latter includes a password-gated backdoor that auto-authenticates the attacker as an administrator.
To maintain persistence and flexibility, operators can execute system commands, exfiltrate or replace files, and intercept sensitive data. If the primary vector is blocked, they deploy an additional plugin, wp-query-console, to regain unauthenticated code execution.
Indicators of Compromise (IoCs) and What to Inspect
Suspicious WordPress REST API Requests
Review access logs for the following endpoints: /wp-json/gutenkit/v1/install-active-plugin and /wp-json/hc/v1/themehunk-import. Wordfence has also shared IP addresses generating high volumes of malicious traffic; consult their advisory for the latest IoCs.
Unusual Directories and Files on Disk
Look for artifacts in /up, /background-image-cropper, /ultra-seo-processor-wp, /oke, and /wp-query-console. Unknown PHP/ZIP files, obfuscated code, or unexpected cron jobs warrant isolation and forensic analysis.
Why Exploitation Persists Despite Available Patches
Patches have been available for months—GutenKit 2.1.1 since October 2024 and Hunk Companion 1.9.0 since December 2024—yet many sites remain on vulnerable versions. This “patch gap” creates an exposure window commonly exploited in mass campaigns. From an OWASP perspective, this activity reflects Broken Access Control combined with configuration weaknesses that accelerate compromise at scale.
Immediate Mitigations and Hardening for WordPress Sites
- Update now: GutenKit ≥ 2.1.1, Hunk Companion ≥ 1.9.0. Remove unused or abandoned plugins.
- Restrict plugin installation: where feasible, set DISALLOW_FILE_MODS in wp-config.php to prevent plugin/theme installation and updates via the dashboard.
- Enable and tune a WAF: ensure signatures and block rules are up to date; monitor for REST API abuse patterns.
- Audit logs and integrity: review web and REST logs, run file integrity scans, compare hashes, and check for unauthorized admin users.
- Credential hygiene: rotate admin passwords, API keys, and regenerate WordPress SALT keys after cleanup.
- Incident response: isolate affected instances, remove malicious plugins and backdoors, reissue credentials, and validate backups before restoration.
Mass exploitation of unauthenticated REST endpoints shows how quickly a small authorization flaw can cascade into full site takeover. Administrators can materially reduce risk by keeping plugins current, limiting high-impact functions like plugin installation, enforcing WAF protections, and following a disciplined incident response plan. Shrinking the time between patch release and deployment remains the single most effective way to stay out of the next Wordfence statistic.
