Pierluigi Paganini October 27, 2025

Hackers exploited old RCE flaws in WordPress GutenKit and Hunk Companion plugins. Wordfence firm blocked 8.7M attacks in two days.

In September and October 2024, submissions revealed Arbitrary Plugin Installation vulnerabilities in GutenKit and Hunk Companion WordPress plugins, with 40,000 and 8,000+ installs, respectively. These flaws allow unauthenticated attackers to install plugins and achieve RCE.

Wordfence researchers reported that threat actors are exploiting these flaws in the above plugins and blocked 8.7M attacks in two days, October 8–9.

“On September 25th, 2024, and on October 3rd, 2024, we received submissions through our Bug Bounty Program for Arbitrary Plugin Installation vulnerabilities in the GutenKit and Hunk Companion WordPress plugins, which have over 40,000 and 8,000 active installations, respectively.” reads the report published by Wordfence. “Our records indicate that attackers most recently started mass exploiting the issues again on October 8th, 2025 (approximately one year later), following several earlier incidents of large-scale exploitation. The Wordfence Firewall has already blocked over 8,755,000 exploit attempts targeting these vulnerabilities.”

The flaws exploited by the attackers are: (CVSS 9.8).

• CVE-2024-9234 (CVSS score of 9.8) is an unauthenticated REST-endpoint flaw in the GutenKit plugin that allows unauthenticated attackers to install arbitrary plugins.
• CVE-2024-9707 (CVSS score of 9.8) and CVE-2024-11972 (CVSS score of 9.8) are missing-authorization flaws in the Hunk Companion plugin’s themehunk-import REST endpoint. An unauthenticated attacker can exploit them to install arbitrary plugins.

Code review shows both GutenKit and Hunk Companion register REST endpoints with ‘permission_callback’ set to true, making them public. GutenKit’s install-active-plugin downloads and unzips remote plugin ZIPs without auth, enabling unauthenticated plugin install/activate and potential RCE. Hunk Companion’s themehunk-import similarly allows similar attacks.

Attack data shows mass exploit attempts against GutenKit and Hunk Companion. Attackers used GutenKit’s REST endpoint requests to call GutenKit’s install-active-plugin to fetch a malicious ZIP from GitHub (slug “up”) containing obfuscated backdoors, file managers and a PDF-headed vv.php with malicious payloads.

“A file named vv.php starts with a valid PDF header but contains malicious PHP code which again is heavily obfuscated. It executes several function calls including string reversals, decompression and conversion steps on an included payload.” continues the report. “Decoded, the sample proves to be a tool with mass-defacement, file management, and network-sniffing capabilities. It also provides a terminal, remote code execution and can be used to install further malware.”

Wordfence blocked over 8,755,000 attempts, with top IPs made tens–hundreds of thousands of requests. The researchers observed that attacks resumed Oct 8–9, 2025, a year after disclosure.

Wordfence shared several IPs involved in the campaign. Admins should check logs for /wp-json/gutenkit/v1/install-active-plugin and /wp-json/hc/v1/themehunk-import requests, and inspect /up, /background-image-cropper, /ultra-seo-processor-wp, /oke, and /wp-query-console folders for rogue files. Keeping plugins updated is strongly advised.

“The attackers are attempting to install plugins with embedded malicious PHP code onto websites. It is recommended to review the /wp-content/plugins and /wp-content/upgrade directories for any suspicious or unknown plugin directories.” concludes the report “Make sure Wordfence is configured to scan files in these directories.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, plugins)