Critical vulnerabilities in GutenKit and Hunk Companion plugins enable unauthenticated attackers to install malicious plugins and achieve remote code execution
⚠️ URGENT CYBERSECURITY ALERT ⚠️
October 27, 2025 – Global
Mass exploitation campaign targeting WordPress plugins GutenKit and Hunk Companion
Over 8.7 million exploit attempts blocked by Wordfence Firewall
Critical vulnerabilities allow unauthenticated plugin installation and remote code execution
KEY FACTS
- Affected Plugins: GutenKit (40,000+ installations) and Hunk Companion (8,000+ installations)
- CVSS Score: 9.8 (Critical) for all vulnerabilities
- Exploit Attempts: Over 8,755,000 blocked by Wordfence Firewall
- Attack Vector: REST API permission bypass enabling arbitrary plugin installation
- Impact: Remote code execution, website compromise, data theft
- Active Since: October 8, 2025 (resurgence of 2024 vulnerabilities)
ATTACK DETAILS & METHODS
Vulnerability Overview
As of October 27, 2025, cybersecurity researchers have identified a massive exploitation campaign targeting critical vulnerabilities in two popular WordPress plugins: GutenKit and Hunk Companion. These vulnerabilities, originally discovered in September and October 2024, have resurfaced as an active threat, demonstrating the persistent danger of unpatched installations across the WordPress ecosystem.
The attack vectors leverage improper permission checks in REST API endpoints, allowing unauthenticated attackers to install malicious plugins and achieve remote code execution without any authentication or user intervention. This represents one of the most significant WordPress security threats of 2025.
Technical Exploitation
The fundamental vulnerability stems from a critical misconfiguration in REST API endpoint registration. Both plugins implement permission callbacks that unconditionally permit unauthenticated requests through returning true values, effectively disabling access controls entirely.
In GutenKit, the vulnerable endpoint routes to the install_and_activate_plugin_from_external() function via the gutenkit/v1/install-active-plugin endpoint, while Hunk Companion exposes similar functionality through hc/v1/themehunk-import.
The exploitation mechanism works by sending POST requests with arbitrary plugin URLs hosted on external repositories, typically GitHub or attacker-controlled domains. When an unauthenticated request reaches these endpoints, the server downloads and extracts the specified ZIP archive directly into wp-content/plugins without validating plugin authenticity or code integrity.
Malicious Payloads
Wordfence Threat Response Unit analysts discovered that malicious packages contain obfuscated PHP scripts with All in One SEO plugin headers to evade basic detection, alongside base64-encoded file managers and PDF-header disguised backdoors enabling complete system compromise.
The installation process executes automatically, activating malicious code immediately and providing attackers direct command execution capabilities for installing additional malware, modifying website content, and establishing persistent access mechanisms.
FEDERAL RESPONSE & WARNINGS
Wordfence Threat Response Unit analysts identified that attackers began mass exploitation again on October 8th, 2025, approximately one year after initial disclosure, indicating threat actors continue leveraging these critical flaws for large-scale compromise operations.
The Wordfence Firewall has already blocked more than 8,755,000 exploit attempts targeting these vulnerabilities since protective rules were deployed, highlighting the massive scale of this ongoing attack campaign.
Security researchers emphasize that these vulnerabilities represent a critical threat to WordPress ecosystem security, as they allow complete website compromise without any user interaction or authentication requirements.
EXPERT OPINIONS
Wordfence Threat Response Unit researchers noted that attackers distribute heavily obfuscated backdoors, file managers, and webshells capable of mass defacement, network reconnaissance, and terminal access.
These malicious packages exploit the permission callback mechanism set to return true, transforming otherwise legitimate plugin installation functionality into a weaponized entry point for system compromise.
The threat landscape reveals organized attack infrastructure with multiple malicious payloads designed for persistence and lateral movement, indicating sophisticated threat actor operations targeting WordPress websites globally.
FUTURE OUTLOOK
The resurgence of these vulnerabilities one year after initial disclosure highlights the persistent threat posed by unpatched WordPress installations. As WordPress powers over 40% of all websites globally, these vulnerabilities represent a significant risk to web security infrastructure.
Security experts predict continued exploitation attempts as threat actors leverage the widespread adoption of these plugins and the ease of exploitation through unauthenticated API endpoints.
CRITICAL RECOMMENDATIONS
Immediate Actions Required:
- Update Immediately: Update GutenKit to version 2.1.1 and Hunk Companion to version 1.9.0
- Security Audit: Review wp-content/plugins and wp-content/upgrade directories for suspicious installations
- Access Monitoring: Monitor access logs for requests to vulnerable endpoints
- Firewall Rules: Implement firewall rules to restrict API access to authenticated users only
Endpoint Monitoring:
- /wp-json/gutenkit/v1/install-active-plugin
- /wp-json/hc/v1/themehunk-import
Long-term Security Measures:
- Implement regular security audits of WordPress installations
- Use security plugins with real-time threat detection
- Maintain regular backups of website data
- Monitor for unusual plugin installations or modifications
VULNERABILITY DETAILS TABLE
| CVE ID | Plugin | Affected Versions | Patched Version | CVSS Score | Vulnerability Type | Bounty |
|---|---|---|---|---|---|---|
| CVE-2024-9234 | GutenKit | ≤ 2.1.0 | 2.1.1 | 9.8 (Critical) | Unauthenticated Arbitrary File Upload | $716.00 |
| CVE-2024-9707 | Hunk Companion | ≤ 1.8.4 | 1.9.0 | 9.8 (Critical) | Missing Authorization – Arbitrary Plugin Installation | $537.00 |
| CVE-2024-11972 | Hunk Companion | ≤ 1.8.5 | 1.9.0 | 9.8 (Critical) | Missing Authorization – Plugin Installation Bypass | N/A |
RESOURCES AND REPORTING
Security Tools:
- Wordfence Firewall (blocking 8.7M+ attempts)
- WordPress Security Plugins
- Regular vulnerability scanning
Reporting: Website administrators should report suspicious activity to their hosting providers and security teams immediately.
RELATED ARTICLES
Stay informed about the latest cybersecurity threats and vulnerabilities:
- Critical Windows Server Vulnerability: CVE-2025-59287 WSUS RCE Exploit Released
- Adobe Vulnerability United States – CISA Issues Emergency Alert
- BIND 9 Vulnerability CVE-2025-40778 Affects 706,000+ Resolver Instances
Source: Cyberupdates365
Cybersecurity Expert | DevOps Engineer
Founder and lead author at CyberUpdates365. Specializing in DevSecOps, cloud security, and threat intelligence. My mission is to make cybersecurity knowledge accessible through practical, easy-to-implement guidance. Strong believer in continuous learning and community-driven security awareness.
Leave a Reply