In recent weeks, threat actors launched a large-scale campaign targeting websites running outdated versions of two WordPress plugins both known to harbour critical zero-day and near-zero-day vulnerabilities. The rapid response from defenders highlights how severely legacy plugin versions continue to endanger sites across the web.
What’s Happening
The cybersecurity firm Wordfence blocked approximately 8.7 million attack attempts across their customer base during 8–9 October 2025, driven by automated exploitation of versions of the GutenKit and Hunk Companion plugins for WordPress.
Three technical flaws fuelled this campaign:
-
CVE‑2024‑9234 : affects GutenKit ≤ 2.1.0; an unauthenticated REST endpoint lets attackers install arbitrary plugins.
-
CVE‑2024‑9707 & CVE‑2024‑11972 : affect Hunk Companion ≤ 1.8.4 and ≤ 1.8.5 respectively; missing authorization on the themehunk‐import endpoint likewise enables plugin installation.
While patches have existed for months (GutenKit 2.1.1 in Oct 2024; Hunk Companion 1.9.0 in Dec 2024), many installations remain unpatched, leaving mass exposure.
How Attackers Operate
Automated scanners hunt for sites with the vulnerable versions, then perform sequences like:
-
Access
/wp-json/gutenkit/v1/install-active-pluginor/wp-json/hc/v1/themehunk-importendpoints in log files. -
Drop a malicious ZIP archive (often named “up”) via GitHub-hosted repos, containing obfuscated scripts that create admin backdoors, manipulate file permissions or hide within plugins.
-
If direct backdoor installation fails, they implant secondary plugins like
wp-query-consoleto gain unauthenticated remote code execution.
Why This Matters for Site Owners
With WordPress powering over 40% of websites globally, plugin weaknesses represent an attractive mass-target vector.
Unpatched critical-severity flaws (CVSS 9.8) allow remote code execution without credentials. The result: compromised admin accounts, file uploads, malware drops, SEO abuse or entire site takeovers. These attacks can drive down ranking, damage brand trust and trigger regulatory exposure.
Key Mitigation Steps
-
Immediately audit your plugin lineup: check for GutenKit and Hunk Companion versions, and update to at least 2.1.1 or 1.9.0 respectively.
-
Implement continuous monitoring of access logs for REST endpoint abuse indicators such as
/wp-json/gutenkit/v1/install-active-plugin. -
Limit plugin usage: uninstall deprecated or high-risk plugins and avoid “just because” installations that expand your attack surface.
-
Deploy a hardened Web Application Firewall (WAF) tuned for WordPress plugin exploit signatures.
-
Maintain automated backups and test restore drills – a compromised site may require full rebuilds.
Strategic Insight
This campaign underscores two recurring infosec truths: the speed of mass exploitation, and persistent lag in patch deployment across the ecosystem. Vendors provided fixes months ago; attackers found the window and exploited it.
For defenders and managed service providers, the business case is clear: plugin governance must become operational risk control. Sites with high-traffic or brand reputations can’t treat extensions as “nice-to-have” add-ons they represent prime targets and liability vectors.
What To Expect Going Forward
Expect more of these broad-sweep campaigns as threat actors continue to weaponise automation and scanning. Given the plugin ecosystem’s size and diversity, zero-day risk remains high. Look for:
-
Malicious plugin bundles renamed as legitimate plugins.
-
Use of MU-plugins and hidden folders (
wp-content/mu-plugins) to persist after initial compromise. -
Cross-site abuses: compromised WordPress sites used to host malware, redirect traffic, or pivot into network infrastructure.
The mass exploit campaign targeting outdated WordPress plugins is a wake-up call: effective security demands both patch discipline and plugin rationalisation. Active-install checks, swift patch application, and strict extension governance are no longer optional.
If you operate WordPress sites with business or brand risk, treat plugin management as an enterprise-grade control. The moment you skip an update, you leave your site exposed.
FAQs
Q1. Which exact plugins are under attack in this wave?
The campaign primarily targets the GutenKit plugin (version ≤ 2.1.0) and the Hunk Companion plugin (versions ≤ 1.8.4 and ≤ 1.8.5). BleepingComputer
Q2. Can a site still be exploited if the core WordPress version is up to date?
Yes, because the vulnerabilities are in plugins, not the core. Even fully-updated WordPress installations remain vulnerable if third-party plugins remain unpatched.
Q3. What indicators should administrators search for in their site logs?
Look for REST endpoint access such as /wp-json/gutenkit/v1/install-active-plugin or /wp-json/hc/v1/themehunk-import and rogue directories like /up, /wp-query-console, /ultra-seo-processor-wp. BleepingComputer
Q4. Do these attacks always lead to full site takeover?
Not always but they provide enough access for attackers to drop admin backdoors, upload arbitrary files or pivot laterally. Given these capabilities, they effectively degrade site integrity and control.
Q5. What long-term governance should organisations adopt for WordPress plugin security?
Establish a plugin inventory, require periodic vulnerability checks, limit plugin use to essentials, treat plugin updates as part of your patch management process, and ensure logging + review of REST endpoints and file-system changes.
