A widespread cyber campaign is aggressively targeting WordPress websites using outdated GutenKit and Hunk Companion plugins, both of which contain critical vulnerabilities that enable remote code execution attacks. Security researchers report that over 8.7 million malicious attack attempts were successfully blocked within just two days in October, highlighting the massive scale and intensity of this coordinated assault against vulnerable WordPress installations worldwide.
Critical Plugin Vulnerabilities Enable Remote Code Execution
The ongoing attack campaign exploits three critical CVE vulnerabilities: CVE-2024-9234 affecting GutenKit plugin versions up to 2.1.0, CVE-2024-9707 targeting Hunk Companion versions up to 1.8.4, and CVE-2024-11972 impacting Hunk Companion versions up to 1.8.5. All three vulnerabilities carry CVSS scores of 9.8, indicating critical severity levels that allow unauthenticated attackers to install arbitrary plugins and achieve complete system compromise through remote code execution capabilities.
These vulnerabilities stem from missing capability checks on REST API endpoints, specifically the /wp-json/gutenkit/v1/install-active-plugin and /wp-json/hc/v1/themehunk-import endpoints. The flawed permission callbacks set to “__return_true” make these endpoints publicly accessible, enabling attackers to bypass authentication mechanisms and install malicious plugins directly onto vulnerable WordPress sites without requiring administrative credentials or user interaction.
Malicious Plugin Installation Through GitHub-Hosted Payloads
Attackers systematically upload malicious plugins named “up.zip” hosted on GitHub repositories, containing heavily obfuscated scripts designed to establish persistent backdoor access and administrative control over compromised websites. These malicious packages masquerade as legitimate plugins but contain sophisticated file management tools, password-protected scripts with fake All in One SEO headers for automatic administrator login, and base64-encoded file uploaders that facilitate complete system takeover.
The malicious payloads include multiple backdoor mechanisms to ensure persistence, with some files starting with valid PDF headers while containing obfuscated PHP code that executes mass-defacement capabilities, network-sniffing tools, terminal access, and remote command execution functionality. When direct plugin installation fails, attackers deploy alternative vulnerable plugins like wp-query-console, which contains unpatched remote code execution vulnerabilities that serve as secondary attack vectors.
“The Wordfence Firewall has already blocked over 8,755,000 exploit attempts targeting these vulnerabilities. According to our data, attackers most recently started a mass attack on October 8th and 9th of 2025, a year after the initial disclosure.” – Wordfence Security Research Team
Attack Campaign Demonstrates Sophisticated Persistence Mechanisms
The coordinated attack campaign reveals sophisticated tactics designed to maintain long-term access to compromised WordPress installations through multiple redundant backdoor mechanisms. Security analysis reveals that attackers deploy several file managers and uploaders simultaneously, ensuring that even if some malicious files are discovered and removed, alternative access points remain available for continued exploitation and further malware deployment.
Forensic examination of the malicious payloads shows that attackers prioritize establishing multiple persistence mechanisms rather than relying on single point of access. The malicious files include advanced capabilities such as folder compression for data exfiltration, file permission modification tools, and network reconnaissance utilities that enable attackers to map internal network infrastructure and identify additional targets for lateral movement within compromised environments.
Indicators of Compromise Reveal Extensive Attack Infrastructure
Security researchers have identified specific indicators of compromise that WordPress administrators should monitor to detect potential breaches from this campaign. Suspicious log entries include requests to /wp-json/gutenkit/v1/install-active-plugin and /wp-json/hc/v1/themehunk-import endpoints, along with the presence of unauthorized plugin directories such as /up/, /wp-query-console/, /background-image-cropper/, and /ultra-seo-processor-wp/ within the WordPress plugins folder.
The attack infrastructure involves multiple domains hosting malicious payloads, including ls.fatec[.]info, dari-slideshow[.]ru, zarjavelli[.]ru, korobushkin[.]ru, and drschischka[.]at. Analysis of attack patterns reveals that threat actors are utilizing distributed IP addresses across multiple cloud providers, with some individual IP addresses generating over 349,000 blocked attack attempts, demonstrating the industrial scale and coordination of this malicious campaign.
Immediate Security Measures Required for WordPress Protection
WordPress administrators must immediately update all plugins to their latest versions, specifically ensuring GutenKit is updated to version 2.1.1 or higher and Hunk Companion is updated to version 1.9.0 or higher. These updates contain critical security patches that close the exploited vulnerabilities and prevent unauthorized plugin installation through the compromised REST API endpoints that attackers are actively targeting.
Beyond updating plugins, administrators should conduct comprehensive security audits of their WordPress installations, examining server logs for suspicious requests to the identified REST API endpoints and inspecting the /wp-content/plugins/ directory for unauthorized plugin installations. WordPress security best practices include implementing web application firewalls, enabling security monitoring, and establishing regular backup procedures to facilitate rapid recovery in case of successful compromise.
Organizations should also review their WordPress security posture by implementing additional protective measures such as limiting plugin installation capabilities, monitoring file system changes, and deploying intrusion detection systems that can identify malicious activity patterns. Website vulnerability management strategies should include regular security assessments, automated vulnerability scanning, and incident response procedures to address potential breaches quickly and effectively before attackers can establish persistent access or cause significant damage.
The massive WordPress attack campaign targeting GutenKit and Hunk Companion plugin vulnerabilities demonstrates the critical importance of maintaining up-to-date security patches and implementing comprehensive website protection measures. With over 8.7 million blocked attacks in just two days, this campaign represents one of the most significant WordPress security threats of 2025, emphasizing the urgent need for administrators to prioritize plugin updates and security monitoring to protect against sophisticated remote code execution attacks.