Three critical-severity vulnerabilities in the GutenKit and Hunk Companion WordPress plugins have been exploited in a new campaign, Defiant warns.
Mass exploitation of the security defects started on October 8, with roughly 9 million exploit attempts blocked by the WordPress security firm over a two-week period, and follows previously identified large-scale campaigns targeting the same bugs.
GutenKit versions prior to 2.1.1 are affected by CVE-2024-9234, a missing capability check issue leading to arbitrary file uploads. The flaw allows attackers to install and activate arbitrary plugins or upload files masquerading as plugins.
Hunk Companion versions prior to 1.8.4 and 1.8.5 are vulnerable to unauthorized plugin installation/activation due to two missing capability check vulnerabilities in the ‘themehunk-import’ REST API endpoint.
Tracked as CVE-2024-9707 and CVE-2024-11972, the flaws allow unauthenticated attackers to install plugins and achieve remote code execution through other vulnerable plugins.
As part of the recent attacks targeting the three security defects, the threat actor has distributed a malicious ZIP file posing as a plugin, which is hosted on GitHub.
The file contains several scripts that act as backdoors, and attempts to establish persistence. A script in the archive allows attackers to automatically log in as administrators.
The ZIP also includes scripts that change file permissions, allowing the attackers to download and view files, and to archive entire folders into ZIP files. Other file upload/manager scripts are also included in the code.
Another file in the archive is a tool capable of mass defacement, network sniffing, and file management. It also has remote code execution functionality, allowing the attackers to deploy additional payloads.
GutenKit and Hunk Companion have over 40,000 and 8,000 active installations, respectively. Although the exploited vulnerabilities were patched over a year ago, they continue to represent attractive targets for threat actors, as the fresh campaign shows.
Site administrators are advised to update their plugins to the most recent, patched versions, and to review the indicators of compromise (IOCs) shared by Defiant to identify potential compromise.
Related: Flaw Allowing Website Takeover Found in WordPress Plugin With 400k Installations
Related: Hackers Inject Malware Into Gravity Forms WordPress Plugin
Related: Forminator WordPress Plugin Vulnerability Exposes 400,000 Websites to Takeover
Related: Motors Theme Vulnerability Exploited to Hack WordPress Websites
