A new wave of cyberattacks is targeting websites running outdated WordPress plugins. Security researchers warn that hackers are exploiting known vulnerabilities in GutenKit and Hunk Companion, two popular plugins that remain unpatched on thousands of websites.
The large-scale campaign began in early October 2025, according to Wordfence, which detected over 8.7 million attack attempts in just two days. Despite the availability of fixes since 2024, many site owners continue to use old versions, leaving their installations exposed to remote code execution.
Critical flaws exploited in mass attacks
The outdated WordPress plugins mass attacks take advantage of three critical vulnerabilities. GutenKit suffers from an unauthenticated REST endpoint flaw (CVE-2024-9234) affecting around 40 000 active sites. Hunk Companion contains two missing-authorization bugs (CVE-2024-9707 and CVE-2024-11972) found on approximately 8 000 websites.
Hackers exploit these weaknesses to upload malicious plugins, create new admin accounts, or inject persistent backdoors. Once inside, they can control the site remotely and use it for further attacks or malware distribution.
Why outdated plugins remain a major risk
Although developers released patched versions — GutenKit 2.1.1 and Hunk Companion 1.9.0 — many administrators have not upgraded. Attackers now use automated tools to scan for vulnerable sites, exploiting outdated systems on a massive scale.
Researchers also note that many victims ignore update notifications or run abandoned websites, creating ideal conditions for exploitation. Because WordPress powers more than 40 % of the web, even a small percentage of unpatched sites can fuel large coordinated attacks.
Warning signs and detection
Administrators should inspect their access logs for suspicious REST-endpoint activity, including:
/wp-json/gutenkit/v1/install-active-plugin/wp-json/hc/v1/themehunk-import
Unfamiliar plugins, unauthorized admin accounts, or unexplained file uploads may indicate compromise. Security experts recommend immediate cleanup and password resets if any of these signs appear.
How to protect your WordPress site
To stay protected, site owners should:
- Update all plugins and themes to the latest versions.
- Remove inactive or unsupported plugins.
- Enable automatic updates for critical components.
- Use web-application firewalls and monitor logs daily.
Conclusion
The ongoing outdated WordPress plugins mass attacks reveal how dangerous unpatched software can become. Even minor neglect allows cybercriminals to hijack thousands of websites at once. Regular updates, security audits, and vigilant monitoring remain the best defense against large-scale exploitation campaigns targeting the WordPress ecosystem.
0 responses to “Outdated WordPress plugins trigger mass cyberattacks”