Cybersecurity firm Wordfence has uncovered a renewed wave of mass exploitation targeting critical vulnerabilities in two popular WordPress plugins, allowing unauthenticated attackers to install malicious software and potentially seize control of websites.
The flaws, first disclosed in late 2024, affect GutenKit and Hunk Companion plugins, which boast over 40,000 and 8,000 active installations respectively.
Despite patches being available for over a year, hackers reignited large-scale attacks on October 8, 2025, prompting urgent calls for site administrators to update immediately.
Renewed Attacks Target Unpatched Sites
The vulnerabilities stem from missing authorization checks in the plugins’ REST API endpoints, enabling anyone to install and activate arbitrary plugins without authentication.
In GutenKit versions up to 2.1.0, the “install-active-plugin” endpoint lacks proper permissions, allowing attackers to upload and unzip malicious ZIP files directly into the WordPress plugins directory.
This can lead to remote code execution (RCE) by deploying backdoors disguised as legitimate plugins.
Similarly, Hunk Companion versions up to 1.8.5 expose the “themehunk-import” endpoint, which attackers exploit to pull in vulnerable plugins from the WordPress repository, such as the unpatched wp-query-console with its own RCE flaw.
Wordfence researchers, including Sean Murphy and Daniel Rodriguez, identified these issues through their bug bounty program, earning bounties of $537 to $716. Both carry a CVSS score of 9.8, marking them as critical.
Attack logs reveal sophisticated tactics. One common payload, hosted on GitHub, includes obfuscated PHP scripts mimicking All in One SEO for admin takeovers, file managers for uploading malware, and tools for mass defacement and network sniffing.
Another attempt installs wp-query-console to chain exploits. Wordfence’s firewall has thwarted over 8.75 million attempts since rules were deployed in September 2024, with a spike on October 8-9, 2025.
Top offending IPs, like 3.141.28.47 (349,900 blocks) and 13.218.47.110 (82,900 blocks), suggest coordinated botnet activity. Premium users received protections first, while free versions got them after a 30-day delay.
Recommendations for WordPress Users
Site owners must upgrade to GutenKit 2.1.1 and Hunk Companion 1.9.0 right away. Enable firewalls like Wordfence to block API abuse, and audit installed plugins for suspicious activity.
Wordfence warns that unpatched sites remain prime targets, even a year post-disclosure, underscoring the persistence of threat actors in exploiting outdated software.
Indicators of Compromise (IoCs):
| Category | Details |
|---|---|
| Suspicious Requests | /wp-json/gutenkit/v1/install-active-plugin /wp-json/hc/v1/themehunk-import |
| Suspicious IP Addresses | 13.218.47.110 3.10.141.23 52.56.47.51 18.219.237.98 2600:1f16:234:9300:70c6:9e26:de1a:7696 18.116.40.45 119.34.179.21 2600:1f16:234:9300:f71:bed2:11e5:4080 194.87.29.184 3.133.135.47 3.141.28.47 3.85.107.39 3.148.175.195 193.84.71.244 3.147.6.140 3.144.26.200 193.233.134.136 |
| Common Malicious Plugin Directories | /up / up.zip – Malicious plugin /background-image-cropper / background-image-cropper.zip – Malicious plugin /ultra-seo-processor-wp / ultra-seo-processor-wp.zip – Malicious plugin /oke / oke.zip – Malicious plugin |
| Legitimate Plugin Directory | /wp-query-console – Legitimate WordPress plugin |
| Involved Domains | ls.fatec[.]info dari-slideshow[.]ru zarjavelli[.]ru korobushkin[.]ru drschischka[.]at dpaxt[.]io cta.imasync[.]com catbox[.]moe (file sharing website) |
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
