Cybersecurity researchers have detected a massive wave of attacks targeting WordPress websites that use outdated versions of the GutenKit and Hunk Companion plugins. These vulnerabilities, if left unpatched, allow threat actors to achieve remote code execution (RCE) and gain full control of compromised sites. According to Wordfence, a leading WordPress security firm, over 8.7 million attack attempts were blocked within just two days—October 8 and 9, 2025—highlighting the scale of the campaign.
The attacks exploit three critical vulnerabilities tracked as CVE-2024-9234, CVE-2024-9707, and CVE-2024-11972, each carrying a CVSS severity score of 9.8. The first flaw, CVE-2024-9234, is an unauthenticated REST-endpoint vulnerability in the GutenKit plugin (with over 40,000 installations) that allows attackers to install arbitrary plugins without authentication. The other two, CVE-2024-9707 and CVE-2024-11972, exist within the Hunk Companion plugin’s themehunk-import REST endpoint, affecting roughly 8,000 sites. Both of these weaknesses lack proper authorization controls, enabling attackers to inject malicious components remotely.
Technical details reveal how attackers chain these flaws together to gain persistence and escalate their access. Once a vulnerable endpoint is found, the threat actor installs another compromised plugin that opens a backdoor for RCE attacks. In particular, researchers discovered a malicious plugin hosted on GitHub in a .ZIP file named “up”, which contains obfuscated PHP scripts capable of uploading, downloading, and deleting files, changing permissions, and even auto-logging the attacker in as an admin. One of these scripts disguises itself as part of the All in One SEO plugin, making detection harder for unsuspecting administrators.
When direct exploitation fails, hackers pivot by installing the ‘wp-query-console’ plugin, which can also be used to achieve unauthenticated remote code execution. This flexible attack chain demonstrates a sophisticated understanding of WordPress’s REST API and plugin system, combining multiple vulnerabilities to ensure persistence and long-term access to victim sites.
Wordfence researchers have also shared indicators of compromise (IoCs) administrators should look for, including suspicious API requests such as /wp-json/gutenkit/v1/install-active-plugin and /wp-json/hc/v1/themehunk-import. Additionally, any unexpected directories like /up, /background-image-cropper, /ultra-seo-processor-wp, /oke, or /wp-query-console may contain rogue or backdoored files.
Although patches have been available for months—GutenKit 2.1.1 was released in October 2024 and Hunk Companion 1.9.0 in December 2024—many websites remain unpatched, leaving them vulnerable to exploitation. The primary cause is administrators failing to update plugins regularly, allowing attackers to take advantage of outdated versions.
Conclusion:
This attack campaign serves as a strong reminder that cyber hygiene and regular updates are critical for website security. Outdated plugins often act as open doors for attackers, and once exploited, they can compromise entire servers or inject malware that spreads across networks. WordPress site owners are urged to immediately update all plugins to their latest versions, perform a full site audit, and monitor logs for suspicious activity. In cybersecurity, prevention is far more cost-effective than recovery.
