Mass Attack Targets WordPress via GutenKit and Hunk Companion Plugins

Mass exploitation attacks are once again targeting WordPress websites, this time through serious vulnerabilities in two popular plugins, GutenKit and Hunk Companion. Cybersecurity researchers say the campaign began on October 8 and has already seen around nine million exploit attempts blocked over two weeks.

The problem traces back to three critical vulnerabilities that let attackers install and activate arbitrary plugins without any authentication. This can lead to full site compromise if another vulnerable plugin is present. Wordfence, which first spotted the ongoing campaign, said the same bugs had already been targeted in earlier attacks but are now seeing renewed and aggressive use.

The Hunk Companion plugin, used for theme customisation, contains a missing capability check in the /wp-json/hc/v1/themehunk-import REST API endpoint. Versions up to 1.8.5 are exposed, allowing anyone to install and activate plugins remotely. This flaw, classified as a bypass to CVE-2024-9707, opens the door for attackers to gain full control of a WordPress site if they can activate another plugin containing executable code.

GutenKit, a plugin known for enhancing Gutenberg blocks, has a similar issue. Versions before 2.1.1 are vulnerable to CVE-2024-9234, which allows arbitrary file uploads through a missing capability check. The flaw can be used to upload fake plugin files or activate malicious extensions. Hunk Companion’s earlier versions, 1.8.4 and 1.8.5, also contain two additional capability check flaws tracked as CVE-2024-9707 and CVE-2024-11972.

Attack flow (Via Wordfence)

Security experts say this campaign highlights a persistent problem in how organisations manage open-source components. Vineeta Sangaraju, Security Solutions Engineer at Black Duck, pointed out that even though these bugs were fixed long ago, many websites never applied the updates. “The fact that these critical vulnerabilities are being exploited a full year after discovery and patching shows that open source is still treated as ‘set and forget,’” she said.

According to Black Duck’s 2025 Open Source Security and Risk Analysis report, the use of open-source components has tripled in four years, and 90% of applications rely on software that is, on average, ten versions behind.

Sangaraju added that neglecting routine maintenance is giving attackers a clear advantage. The estimated eight million exploit attempts in October alone show how quickly unpatched systems can be targeted once a weakness is public.

Website administrators using GutenKit or Hunk Companion are advised to update immediately to GutenKit 2.1.1 and Hunk Companion 1.8.6 or later. They should also review installed plugins for any unauthorised additions. The latest findings from Wordfence are available in full on their blog here.