A wave of WordPress plugin attacks is spreading across the internet, targeting websites that use outdated or unpatched extensions. Cybercriminals are exploiting known vulnerabilities to gain control of WordPress sites and install malicious plugins. The campaign has already affected thousands of websites and shows how quickly neglected updates can turn into serious security risks.
Massive exploitation campaign
Security company Wordfence reported more than eight million blocked attack attempts within just two days. The large-scale campaign abuses critical flaws in the GutenKit and Hunk Companion plugins, giving attackers a path to install and activate arbitrary plugins. Both vulnerabilities allow remote code execution without authentication, making them especially dangerous for any unpatched site.
Vulnerabilities behind the attacks
Researchers identified three key security flaws driving these attacks:
- CVE-2024-9234 – affects GutenKit 2.1.0 and earlier, enabling unauthorized plugin installations through exposed REST endpoints.
- CVE-2024-9707 – impacts Hunk Companion 1.8.4 and earlier, allowing attackers to bypass authorization checks.
- CVE-2024-11972 – targets Hunk Companion 1.8.5 and earlier, again leading to plugin upload and activation without user consent.
Developers released patches for GutenKit 2.1.1 and Hunk Companion 1.9.0, but many administrators have yet to apply them.
Attack methods and signs of compromise
The attackers deploy malicious plugin packages disguised as legitimate tools such as SEO or performance optimizers. Once installed, the malware uploads files, executes commands, and creates persistent backdoors.
Administrators should check for suspicious API requests like:
/wp-json/gutenkit/v1/install-active-plugin/wp-json/hc/v1/themehunk-import
They should also inspect directories such as /wp-query-console, /up, and /oke for unknown files or scripts. Detecting these early can prevent further exploitation.
How to protect WordPress sites
Website owners can reduce the risk of WordPress plugin attacks by following a few essential steps:
- Update GutenKit and Hunk Companion to their latest secure versions.
- Remove unused or suspicious plugins and themes.
- Regularly monitor server logs for strange API calls or unauthorized file uploads.
- Use a trusted web application firewall to block malicious requests.
- Keep WordPress core and PHP versions up to date.
Consistent maintenance and monitoring are key to avoiding large-scale infections.
Conclusion
The latest WordPress plugin attacks demonstrate how quickly outdated extensions can become entry points for hackers. By patching vulnerabilities, monitoring for suspicious activity, and practicing good security hygiene, site administrators can prevent full-scale compromises. Regular updates remain the most effective defense against mass exploitation campaigns targeting WordPress websites.
0 responses to “WordPress plugin attacks exploit outdated extensions”