Three critical-severity vulnerabilities in the GutenKit and Hunk Companion WordPress plugins have been exploited in a new campaign.
According to István Márton, a vulnerability research contractor at Wordfence, mass exploitation of the security defects began on 8 October, with roughly 9 million exploit attempts blocked by the WordPress security firm over a two-week period, following a previously identified large-scale campaigns targeting the same bugs.
The Hunk Companion plugin for WordPress is vulnerable to unauthorized plugin installation/activation due to a missing capability check on the /wp-json/hc/v1/themehunk-import REST API endpoint in all versions up to, and including, 1.8.5.
This makes it possible for unauthenticated actors to install and activate arbitrary plugins which can be leveraged to gain remote code execution if another vulnerable plugin is installed and activated. This is a bypass to CVE-2024-9707.
GutenKit versions prior to 2.1.1 are affected by CVE-2024-9234, a missing capability check issue leading to arbitrary file uploads.
The flaw allows malefactors to install and activate arbitrary plugins or upload files masquerading as plugins. Hunk Companion versions prior to 1.8.4 and 1.8.5 are vulnerable to unauthorized plugin installation/activation due to two missing capability check vulnerabilities in the ‘themehunk-import’ REST API endpoint.
Tracked as CVE-2024-9707 and CVE-2024-11972, the flaws allow unauthenticated attackers to install plugins and achieve remote code execution through other vulnerable plugins.
Exposing Organizations to Unnecessary Risk
Vineeta Sangaraju, Security Solutions Engineer at Black Duck, the fact that critical vulnerabilities in these open-source plugins for one of the most popular content management systems are being mass-exploited a full year after discovery and patching, highlights a troubling industry reality: open source is still treated as ‘set and forget.’
“The 2025 OSSRA report shows that open-source component usage has tripled in just four years, and that 90% of applications contain open-source software that’s, on average, ten versions behind current releases. This heavy dependence, coupled with lapses in critical maintenance, continues to expose organizations to unnecessary risk. Awareness, better judgment, and timely updates are imperative. The estimated eight million exploit attempts against WordPress sites in October 2025 alone suggest attackers are capitalizing on the industry’s neglectful attitude toward open source.”
Plugin Management is a Security Function
Randolph Barr, Chief Information Security Officer at Cequence Security, adds that these are critical vulnerabilities, and while patches are available, many entities may still be exposed.
“What often makes this type of incident risky is that WordPress environments are frequently managed by marketing or communications teams rather than IT or security. Unless your organization has a strong third-party vulnerability management process in place, it’s important to connect with your marketing or web team immediately and confirm that these plugins have been patched or removed.”
Barr adds that this also surfaces a recurring topic among security practitioners, the importance of having defined SLAs for vulnerability remediation. “While attackers are now capable of exploiting disclosed vulnerabilities within roughly 15 days, research shows that the average time to remediate critical vulnerabilities exceeds 60 days in many organizations. That discrepancy creates a significant exposure window, particularly when systems are managed externally by vendors or agencies.”
He advises organizations to review their third-party vulnerability management programs to ensure clear accountability and timely remediation. “Some companies go a step further by embedding remediation SLAs directly into vendor contracts, for example, requiring that critical vulnerabilities be patched within 14 days. Working closely with legal and procurement teams to establish those expectations during onboarding or renewal cycles helps ensure that external partners maintain the same level of security rigor as internal teams.”
Ultimately, Barr says this event highlights how plugin management is not just a marketing task — it’s a security function. “Treating third-party web platforms and their components with the same risk discipline as any other enterprise software is key to maintaining resilience in today’s threat landscape.”
Automation Exploiting Known Vulnerabilities at Scale
Christopher Jess, Senior R&D Manager at Black Duck, says this isn’t a zero-day, it’s automation exploiting known vulnerabilities at scale. “The GutenKit and Hunk Companion flaws let unauthenticated attackers install or upload plugins, which is a short hop to full site takeover once a secondary payload lands.”
Jess adds that Wordfence telemetry shows millions of exploit attempts beginning 8 October, so assume broad, indiscriminate scanning rather than targeted ops. “There are clear indicators of attack and compromise that organizations can check for.”
He says this attack is easily mitigated by patching the affected plugins GutenKit to 2.1.1 + and Hunk Companion to 1.9.0 +. “Organizations using these components should update immediately, audit for rogue plugins or new admin users, rotate credentials if anything looks off, and add WAF rules to block the two abused REST endpoints. This campaign is a reminder that plugin hygiene is supply-chain security for WordPress.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.