Threat actors have launched a significant mass exploitation campaign targeting critical vulnerabilities in two popular WordPress plugins, GutenKit and Hunk Companion, affecting hundreds of thousands of websites globally.
These vulnerabilities, discovered in September and October 2024, have resurfaced as an active threat in October 2025, demonstrating the persistent danger of unpatched installations.
The attack vectors leverage improper permission checks in REST API endpoints, allowing unauthenticated attackers to install malicious plugins and achieve remote code execution without authentication or user intervention.
The GutenKit plugin, with over 40,000 active installations, and Hunk Companion, with approximately 8,000 active users, represent significant attack surfaces due to their widespread adoption.
Wordfence Threat Response Unit analysts identified that attackers began mass exploitation again on October 8th, 2025, approximately one year after initial disclosure, indicating threat actors continue leveraging these critical flaws for large-scale compromise operations.
The Wordfence Firewall has already blocked more than 8,755,000 exploit attempts targeting these vulnerabilities since protective rules were deployed.
The threat landscape reveals organized attack infrastructure with multiple malicious payloads designed for persistence and lateral movement.
Wordfence Threat Response Unit researchers noted that attackers distribute heavily obfuscated backdoors, file managers, and webshells capable of mass defacement, network reconnaissance, and terminal access.
These malicious packages exploit the permission callback mechanism set to return true, transforming otherwise legitimate plugin installation functionality into a weaponized entry point for system compromise.
REST API Permission Mechanism Exploitation
The fundamental vulnerability stems from a critical misconfiguration in REST API endpoint registration. Both plugins implement permission callbacks that unconditionally permit unauthenticated requests through returning true values, effectively disabling access controls entirely.
In GutenKit, the vulnerable endpoint routes to the install_and_activate_plugin_from_external() function via the gutenkit/v1/install-active-plugin endpoint, while Hunk Companion exposes similar functionality through hc/v1/themehunk-import.
The exploitation mechanism works by sending POST requests with arbitrary plugin URLs hosted on external repositories, typically GitHub or attacker-controlled domains.
When an unauthenticated request reaches these endpoints, the server downloads and extracts the specified ZIP archive directly into wp-content/plugins without validating plugin authenticity or code integrity.
Wordfence Threat Response Unit analysts discovered that malicious packages contain obfuscated PHP scripts with All in One SEO plugin headers to evade basic detection, alongside base64-encoded file managers and PDF-header disguised backdoors enabling complete system compromise.
The installation process executes automatically, activating malicious code immediately and providing attackers direct command execution capabilities for installing additional malware, modifying website content, and establishing persistent access mechanisms.
| CVE ID | Plugin | Affected Versions | Patched Version | CVSS Score | Vulnerability Type | Bounty |
|---|---|---|---|---|---|---|
| CVE-2024-9234 | GutenKit | ≤ 2.1.0 | 2.1.1 | 9.8 (Critical) | Unauthenticated Arbitrary File Upload | $716.00 |
| CVE-2024-9707 | Hunk Companion | ≤ 1.8.4 | 1.9.0 | 9.8 (Critical) | Missing Authorization – Arbitrary Plugin Installation | $537.00 |
| CVE-2024-11972 | Hunk Companion | ≤ 1.8.5 | 1.9.0 | 9.8 (Critical) | Missing Authorization – Plugin Installation Bypass | N/A |
Website administrators should immediately update GutenKit to version 2.1.1 and Hunk Companion to version 1.9.0. Review wp-content/plugins and wp-content/upgrade directories for suspicious installations.
Monitor access logs for requests to /wp-json/gutenkit/v1/install-active-plugin and /wp-json/hc/v1/themehunk-import endpoints, and implement firewall rules to restrict API access to authenticated users only.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
