News

Millions of WordPress Sites Under Attack Through Old Plugin Flaws

Published

22 seconds ago

October 25, 2025

A massive hacking campaign is sweeping across WordPress sites, exploiting long-fixed flaws in two popular plugins, GutenKit and Hunk Companion, to gain full control of websites. Security experts warn that millions of sites could be at risk if administrators fail to update outdated versions.

Hackers Exploit Critical WordPress Plugin Vulnerabilities

WordPress security company Wordfence revealed that it blocked 8.7 million attack attempts in just 48 hours, between October 8 and 9, targeting websites using vulnerable versions of GutenKit and Hunk Companion.

The attacks take advantage of three critical vulnerabilities — CVE-2024-9234, CVE-2024-9707, and CVE-2024-11972 — all carrying a CVSS score of 9.8, which is near the maximum severity rating.

CVE-2024-9234 affects GutenKit versions 2.1.0 and earlier, exposing an unauthenticated REST endpoint that lets attackers install arbitrary plugins without any login.
CVE-2024-9707 and CVE-2024-11972 impact Hunk Companion versions 1.8.5 and older, with missing authorization checks in the “themehunk-import” REST endpoint that can also allow rogue plugin installation.

This combination of flaws lets hackers quietly add malicious plugins, opening the door for remote code execution (RCE), full website takeovers, and data theft.

How the Attack Campaign Works

Wordfence researchers observed that the attackers are using GitHub to host a malicious plugin archive named “up.zip”. The file contains heavily obfuscated scripts designed to upload, download, and delete files, or even modify server permissions.

One of the malicious scripts, disguised as part of the All in One SEO plugin, uses a password-protected function to log the hacker in as an administrator. Once inside, attackers can steal sensitive data, upload new backdoors, or maintain long-term access to the infected system.

If the initial exploit does not grant full admin privileges, attackers often install another plugin, wp-query-console, which itself has known vulnerabilities that can be exploited to execute code without authentication.

The entire attack chain is engineered for persistence, flexibility, and stealth.

Old Flaws, New Victims

Although the developers fixed these flaws months ago — GutenKit 2.1.1 in October 2024 and Hunk Companion 1.9.0 in December 2024 — many websites still use outdated versions.

WordPress statistics show that tens of thousands of websites continue to run older plugin releases, leaving them open to compromise. GutenKit alone has around 40,000 active installations, while Hunk Companion is used on about 8,000 sites.

This highlights a persistent challenge in WordPress security: site owners often delay or ignore plugin updates, giving hackers a window of opportunity long after patches are available.

Plugin Name	Vulnerability ID	Affected Versions	Patched Version	Type of Flaw	Active Installs
GutenKit	CVE-2024-9234	2.1.0 and earlier	2.1.1	Unauthenticated REST Endpoint	40,000
Hunk Companion	CVE-2024-9707	1.8.4 and older	1.9.0	Missing Authorization	8,000
Hunk Companion	CVE-2024-11972	1.8.5 and earlier	1.9.0	Missing Authorization	8,000

Signs of Compromise Website Owners Should Check

Security researchers shared clear indicators of compromise (IoCs) that administrators can look for to determine if their sites were targeted.

Admins should scan access logs for the following suspicious REST API requests:

/wp-json/gutenkit/v1/install-active-plugin
/wp-json/hc/v1/themehunk-import

Additionally, site owners are advised to check for rogue directories that might indicate successful breaches:

/up
/background-image-cropper
/ultra-seo-processor-wp
/oke
/wp-query-console

If any of these entries are found, administrators should immediately remove the malicious files, reset all credentials, and update plugins to their latest versions.

How Website Owners Can Stay Protected

Experts emphasize that regular plugin maintenance is the best defense against such mass exploitation campaigns.

To strengthen WordPress security, administrators should:

Always keep plugins, themes, and the WordPress core updated.
Use a web application firewall (WAF) or security service to block malicious requests.
Limit plugin installations only to trusted, verified sources.
Perform periodic scans to detect unauthorized files or changes.

Wordfence’s data shows that attack traffic often originates from specific IP addresses known for malicious behavior. Blocking these IPs or deploying an updated firewall rule set can help mitigate risks.

Neglecting updates on WordPress sites is like leaving the front door open — attackers will find a way in.

The campaign illustrates how cybercriminals increasingly target small and medium-sized website owners who rely on outdated security practices, making them easy prey for automated attack tools.

A Growing Problem for WordPress Security

WordPress powers over 43% of all websites on the internet, making it the most popular content management system but also the most targeted. Attackers favor it for its large ecosystem of third-party plugins, which often become weak points when not maintained properly.

Security analysts note that the increasing automation of hacking tools allows criminals to scan and attack thousands of websites within hours, leveraging even year-old vulnerabilities like these.

The current campaign serves as another reminder that patch management is not optional. As one researcher put it, “Attackers don’t need zero-days when site owners don’t apply the patches.”

Website security is no longer a one-time setup — it’s a continuous responsibility.