426/68 Tuesday, October 28, 2025
A large-scale attack campaign is targeting WordPress websites running outdated versions of the GutenKit and Hunk Companion plugins. Security company Wordfence reported blocking as many as 8.7 million attack attempts within just two days (October 8–9). The attacks exploit critical vulnerabilities (CVSS 9.8) that allow attackers to install arbitrary plugins without authentication, ultimately leading to potential remote code execution (RCE) on the server. The vulnerabilities include CVE-2024-9234 in the GutenKit plugin (with over 40,000 installations) and CVE-2024-9707 and CVE-2024-11972 in the Hunk Companion plugin (with 8,000 installations).
According to Wordfence’s analysis, attackers hosted malicious plugins in a .ZIP file named “up” on GitHub. Inside the archive were obfuscated scripts, one of which masqueraded as a component of the All in One SEO plugin. This backdoor automatically logged attackers in as site administrators, enabling them to maintain persistent access, steal or delete files, and execute arbitrary commands. If administrator privileges could not be obtained directly, attackers instead deployed another vulnerable plugin, “wp-query-console,” to achieve RCE.
The concerning factor is that all three vulnerabilities had already been patched nearly a year ago — GutenKit 2.1.1 was released in October 2024, and Hunk Companion 1.9.0 in December 2024. However, many websites remain unpatched. Administrators are strongly advised to review and update all plugins to their latest versions immediately to prevent compromise.
