Widespread mass attacks target outdated WordPress plugins

October 25, 2025 Faeem BLOGS 0

Widespread exploitation campaigns are targeting WordPress sites that still run outdated versions of the GutenKit and Hunk Companion plugins, allowing attackers to install arbitrary plugins and, in many cases, achieve remote code execution (RCE) through chained vulnerabilities.

What happened and why it matters

Security teams observed a rapid resurgence of attacks beginning 8 October 2025 that leveraged three critical vulnerabilities — CVE-2024-9234, CVE-2024-9707, and CVE-2024-11972 — each rated critical with CVSS scores of 9.8, and all enabling unauthenticated or missing-authorization plugin installs that lead to downstream RCE opportunities.

Scale and attacker tactics

Wordfence telemetry shows defenders blocked roughly 8.7 million exploit attempts in a two-day window, demonstrating automated, high-volume scanning and exploitation at scale. Threat actors are distributing a malicious ZIP archive named “up” on public hosting that contains obfuscated scripts and an admin backdoor disguised as a legitimate plugin component to achieve persistence and full site takeoverSecurityonline+1.

Indicators of compromise to look for

  • Suspicious REST requests such as /wp-json/gutenkit/v1/install-active-plugin and /wp-json/hc/v1/themehunk-import in access logs.
  • Unexpected directories or files named /up, /background-image-cropper, /ultra-seo-processor-wp, /oke, or /wp-query-console on the webroot.
  • New plugins installed without administrator action, unusual admin logins, or obfuscated PHP files and scheduled tasks that execute webshells.

Immediate actions for administrators (operational checklist)

  1. Patch now: Update GutenKit to 2.1.1 or later and Hunk Companion to 1.9.0 or later immediately.
  2. Hunt and remove: Search for the IOC paths and remove any unauthorized plugins, webshells, or the “up” archive contents.
  3. Harden access: Reset administrator credentials, enforce MFA for all admin accounts, and rotate any exposed API keys or service credentials.
  4. Contain and monitor: Temporarily disable plugin installation via REST or restrict /wp-json access to trusted IPs while you investigate.
  5. Scan and restore: Run a full integrity scan, compare files against clean backups, and restore compromised sites from known-good backups where necessary.
  6. Block malicious infrastructure: Apply IP blocks and WAF rules against high-volume IPs reported by Wordfence and your logs.

Longer-term controls and resilience measures

  • Reduce attack surface: Remove unused plugins and themes, minimize plugin count, and subscribe to active vulnerability alerts for your components.
  • Deploy allow-listing and file integrity monitoring to detect unauthorized uploads and code changes quickly.
  • Segment admin interfaces and limit REST API exposure to management networks.
  • Automate patching and inventory so plugin versions and install counts are visible and actionable across all sites.
  • Tabletop and recovery rehearsals that include plugin-supply-chain compromise scenarios.

Closing reminder

Outdated, high‑install-count plugins are predictable targets; patching and proactive detection convert a large-scale campaign into a manageable incident. Act quickly to patch, hunt, and harden WordPress sites to prevent small flaws from becoming full-site takeovers

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.