Listen to this Post

🔥 Introduction: A Digital Storm Reawakens
Once again, outdated WordPress plugins have become the open doors through which hackers flood into unsuspecting websites. A widespread exploitation campaign has erupted, targeting millions of WordPress installations running vulnerable versions of the GutenKit and Hunk Companion plugins. These vulnerabilities, long patched yet still ignored by many site owners, are now fueling a powerful surge of remote code execution (RCE) attacks. The incident underscores a sobering truth: in cybersecurity, neglect is often the most dangerous vulnerability of all.
🚨 Summary of the Cyber Onslaught
In early October, WordPress security firm Wordfence revealed it had blocked over 8.7 million attack attempts in just two days (October 8–9) against its customer base. The coordinated wave of attacks exploits three critical flaws, each rated with a CVSS score of 9.8, indicating the highest level of severity.
The vulnerabilities—CVE-2024-9234, CVE-2024-9707, and CVE-2024-11972—affect two popular plugins, GutenKit and Hunk Companion, which together have nearly 50,000 installations.
CVE-2024-9234, found in GutenKit 2.1.0 and earlier, is an unauthenticated REST endpoint flaw that allows attackers to install arbitrary plugins remotely.
CVE-2024-9707 and CVE-2024-11972, discovered in Hunk Companion versions 1.8.5 and older, are authorization bypass issues that can also enable unauthorized plugin installations.
Although both plugins were patched months ago—GutenKit 2.1.1 was released in October 2024 and Hunk Companion 1.9.0 in December 2024—thousands of websites remain vulnerable because administrators have not updated their systems.
According to Wordfence, attackers are distributing a malicious plugin named “up” through GitHub, disguised inside a ZIP file. Once installed, it unleashes obfuscated scripts that perform file uploads, deletions, permission modifications, and even automatic admin logins. One script masquerades as part of the All in One SEO plugin, giving attackers stealthy persistence and control.
If attackers fail to gain full administrative access immediately, they pivot by installing another compromised plugin called wp-query-console, which grants them unauthenticated remote code execution privileges.
The result: attackers can execute arbitrary commands, steal sensitive data, plant backdoors, and maintain persistent access across infected websites.
Security analysts have identified telltale signs of compromise. Site administrators should inspect logs for unusual REST endpoint requests, particularly:
/wp-json/gutenkit/v1/install-active-plugin
/wp-json/hc/v1/themehunk-import
Additionally, they should check directories such as /up, /background-image-cropper, /ultra-seo-processor-wp, /oke, and /wp-query-console for rogue entries.
Wordfence has shared multiple malicious IP addresses associated with these attacks, enabling administrators to set up more effective firewall defenses.
The message from security experts is crystal clear: update all WordPress plugins immediately and verify that no unauthorized files or directories have been introduced.
💡 What Undercode Say: The Anatomy of a Forgotten Threat
The exploitation of old vulnerabilities highlights a recurring problem in the cybersecurity ecosystem—the gap between patch availability and patch adoption. Most attacks in this campaign don’t rely on zero-day flaws but on known, documented, and long-fixed weaknesses that administrators have failed to address.
The real issue is security inertia. Many site owners either delay updates due to fear of compatibility issues or rely on outdated auto-update settings. In the world of WordPress, where plugins power functionality for over 40% of the web, this delay can become catastrophic.
From a threat intelligence perspective, the attackers’ approach is clever but not groundbreaking. Hosting the malicious ZIP archive on GitHub leverages a trusted platform, bypassing many basic security filters. The use of obfuscation and fake SEO plugin components shows how attackers now blend social engineering with technical intrusion, masking their payloads under familiar names.
This campaign also demonstrates how RCE attacks evolve from simple injection attempts to multi-layer persistence strategies. By dropping secondary tools like “wp-query-console,” attackers ensure continued access even if the main payload is detected and removed. It’s a sophisticated chain of infection designed for endurance, not just disruption.
Economically, this attack wave aligns with broader trends in cybercrime monetization. Compromised WordPress sites can be weaponized for phishing, cryptojacking, spam relays, and malware hosting. A single infection can spread malicious payloads across dozens of linked domains, amplifying its impact across digital ecosystems.
Undercode’s analysis indicates that the campaign’s timing—just before the holiday traffic season—may not be accidental. Cybercriminals often intensify attacks during high-traffic periods, exploiting the fact that many businesses focus on marketing and sales rather than maintenance.
From a defensive standpoint, organizations must shift from reactive patching to proactive hardening. This includes:
Enabling real-time plugin vulnerability alerts
Enforcing automated update pipelines
Regularly auditing WordPress REST endpoints for suspicious traffic
Ultimately, this incident is a loud reminder that cybersecurity is not a one-time act but a continuous discipline. The absence of a patching culture turns every forgotten plugin into a ticking time bomb.
For developers, plugin maintainers, and hosting providers, this should trigger a conversation about default security enforcement—perhaps even mandatory automatic patch deployment for critical vulnerabilities.
If WordPress wants to preserve its reputation as the world’s most flexible CMS, it must also become the most secure-by-default platform. That requires not only technological measures but also user education and stronger default safeguards against the consequences of neglect.
🔍 Fact Checker Results
✅ Vulnerabilities confirmed and publicly listed under CVE-2024-9234, CVE-2024-9707, and CVE-2024-11972.
✅ Wordfence verified 8.7 million attack attempts during October 8–9, 2025.
❌ No evidence suggests the vulnerabilities were exploited after plugin updates beyond version 2.1.1 (GutenKit) and 1.9.0 (Hunk Companion).
📊 Prediction
🧠 Expect an uptick in automated botnet campaigns repurposing these vulnerabilities to spread credential-stealing malware.
🌐 WordPress will likely introduce stronger default update mechanisms or even forced patch rollouts for critical plugin vulnerabilities.
🔒 Site owners who continue to delay updates may face complete domain blacklisting by hosting providers and search engines in the coming months.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://www.reddit.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




