Critical WordPress Plugin Bugs Exploited En Masse

Threat actors are attempting to exploit three critical CVEs from 2024 impacting two popular WordPress plugins, according to Wordfence.

The security vendor claimed that the bugs affect the GutenKit and Hunk Companion plugins which have over 40,000 and 8000 active installations respectively.

“These vulnerabilities make it possible for unauthenticated threat actors to install and activate arbitrary plugins, which can be leveraged to achieve remote code execution [RCE],” it warned in an update late last week.

Wordfence said it discovered the vulnerabilities via its bug bounty program on September 25 and October 3 2024. But while its customers are protected via updated firewall rules, the same is not true for all organizations using the plugins.

Read more on WordPress vulnerabilities: Critical Flaws in WordPress Plugin Leave 10,000 Sites Vulnerable

The vendor has already blocked nearly 8.8 million exploitation attempts, hinting at the scale of the campaign, which sprang back to life on October 8.

The three CVEs currently under exploitation are:

• CVE-2024-9234: An RCE bug which enables unauthenticated attackers to install and activate arbitrary plugins, or use the functionality to upload arbitrary files spoofed like plugins. It has a CVSS rating of 9.8 and affects all versions of the GutenKit – Page Builder Blocks, Patterns and Templates for Gutenberg Block Editor plugin, up to and including 2.1.0
• CVE-2024-9707: A critical vulnerability which makes it possible for unauthenticated attackers to install and activate arbitrary plugins. These can be used to achieve RCE if another vulnerable plugin is installed and activated. This bug has a CVSS score of 9.8 and affects all versions of the Hunk Companion plugin for WordPress up to and including 1.8.4
• CVE-2024-11972: A critical unauthorized plugin installation/activation vulnerability, which affects all versions of the Hunk Companion plugin for WordPress, up to and including 1.8.5. It has a CVSS score of 9.8. This is a bypass for CVE-2024-9707 which enables unauthenticated attackers to install and activate arbitrary plugins for RCE, if another vulnerable plugin is installed and activated

The vulnerabilities allow threat actors to “easily” hijack targeted sites by uploading PHP files and executing malicious code on the server, Wordfence warned.

The vendor released a list of attacker IP addresses and domains which could help network defenders to better improve resilience to such attacks.

Image credit: Wirestock Creators / Shutterstock.com