A widespread exploitation campaign is targeting WordPress websites with GutenKit and Hunk Companion plugins vulnerable to critical-severity, old security issues that can be used to achieve remote code execution (RCE).
WordPress security firm Wordfence says that it blocked 8.7 million attack attempts against its customers in just two days, October 8 and 9.
The campaign expoits three flaws, tracked as CVE-2024-9234, CVE-2024-9707, and CVE-2024-11972, all rated critical (CVSS 9.8).
CVE-2024-9234 is an unauthenticated REST-endpoint flaw in the GutenKit plugin with 40,000 installs that allows installing arbitrary plugins without authentication.
CVE-2024-9707 and CVE-2024-11972 are missing-authorization vulnerabilities in the themehunk-import REST endpoint of the Hunk Companion plugin (8,000 installs) which can also lead to installing arbitrary plugins.
An authenticated attacker can leverage the vulnerabilities to introduce another vulnerable plugin that allows remote code execution.
CVE-2024-9234 affects GutenKit 2.1.0 and earlier
CVE-2024-9707 impacts Hunk Companion 1.8.4 and older
CVE-2024-11972 impacts Hunk Companion 1.8.5 and previous versions
Fixes for the three vulnerabilities became available in Gutenkit 2.1.1, released in October 2024, and Hunk Companion 1.9.0, released in December 2024. However, despite the vendor fixing them almost a year ago, many websites continue to use vulnerable versions.
... continue reading