Exploitation campaign targets multiple older critical vulnerabilities in WordPress sites

WordPress security firm Wordfence reports a large-scale exploitation campaign targeting WordPress websites using older critical vulnerabilities in the GutenKit and Hunk Companion plugins. Apparently Wordfence blocked over 8.7 million attack attempts in two days on October 8 and 9, 2025.

The campaign exploits three critical-severity vulnerabilities, all rated 9.8 on the CVSS scale:

• CVE-2024-9234 (CVSS score 9.8) - Unauthenticated arbitrary file upload vulnerability due to missing capability check on the install_and_activate_plugin_from_external() function
• CVE-2024-9707 (CVSS score 9.8) - Missing authorization vulnerability in the themehunk-import REST endpoint
• CVE-2024-11972 (CVSS score 9.8) - Missing authorization vulnerability is a bypass to the patch CVE-2024-9707

Thee vulnerabilities were initially reported through Wordfence Bug Bounty Program on September 25, 2024, for GutenKit and October 3, 2024, for Hunk Companion.

Threat actors are sending malicious POST requests to the vulnerable REST API endpoints, instructing the plugins to download and install malicious plugin packages from attacker-controlled servers. Threat actors are hosting malicious plugins on GitHub and other file-sharing platforms/ The packages containing heavily obfuscated backdoor scripts/

Thee top ten offending IP addresses accounting for millions of blocked requests:

• 13.218.47.110 - Over 82,900 blocked requests
• 3.10.141.23 - Over 82,400 blocked requests
• 52.56.47.51 - Over 81,100 blocked requests
• 18.219.237.98 - Over 75,600 blocked requests
• 2600:1f16:234:9300:70c6:9e26:de1a:7696 - Over 73,400 blocked requests
• 3.141.28.47 - Over 349,900 blocked requests
• 119.34.179.21 - Over 300,600 blocked requests
• 3.85.107.39 - Over 254,700 blocked requests
• 3.148.175.195 - Over 240,300 blocked requests
• 13.218.47.110 - Over 239,100 blocked requests

Domains Hosting Malicious Plugins:

• ls.fatec[.]info
• dari-slideshow[.]ru
• zarjavelli[.]ru
• korobushkin[.]ru
• drschischka[.]at
• dpaxt[.]io
• cta.imasync[.]com
• catbox[.]moe (file sharing website)

Malicious Plugin Directories:

• /up or up.zip - maliciously crafted plugin package
• /background-image-cropper or background-image-cropper.zip
• /ultra-seo-processor-wp or ultra-seo-processor-wp.zip
• /oke or oke.zip
• /wp-query-console - legitimate but vulnerable WordPress plugin exploited for RCE

The GutenKit plugin has approximately 40,000 active installations, and Hunk Companion has approximately 8,000 active installations across WordPress websites globally. Security researchers estimate that tens of thousands of websites remain vulnerable to these exploits as of October 2025.

WordPress site administrators should update GutenKit to version 2.1.1 or later and Hunk Companion to version 1.9.0 or later, and enable automatic plugin updates where possible.