Renewed Wave of Cyber Attacks Targeting Popular WordPress Plugins
In a startling development, cybersecurity firm Wordfence has identified a renewed wave of mass exploitation targeting critical vulnerabilities in two widely-used WordPress plugins: GutenKit and Hunk Companion. This alarming trend has enabled unauthenticated attackers to install harmful software and potentially seize control of websites. The vulnerabilities, which first came to light in late 2024, raise serious concerns for site administrators and users alike.
Overview of the Vulnerabilities
The vulnerabilities in question stem from missing authorization checks in the REST API endpoints of the GutenKit and Hunk Companion plugins. With over 40,000 and 8,000 active installations respectively, these plugins have become attractive targets for malicious actors. Attackers capitalize on these flaws to install arbitrary plugins without proper authentication.
GutenKit Vulnerability
In versions of GutenKit up to 2.1.0, the “install-active-plugin” endpoint lacks adequate permission checks, allowing attackers to upload and extract malicious ZIP files directly into the WordPress plugins directory. This flaw can lead to remote code execution (RCE) as attackers deploy backdoors disguised as legitimate plugins.
Hunk Companion Vulnerability
Similarly, the Hunk Companion plugin up to version 1.8.5 exposes the “themehunk-import” endpoint. This vulnerability allows attackers to pull in compromised plugins from the WordPress repository. A notable example includes the unpatched wp-query-console, which harbors its own RCE flaw.
Timeline of Events
Despite the availability of patches for over a year, hackers reignited large-scale attacks on October 8, 2025. Wordfence researchers, including Sean Murphy and Daniel Rodriguez, uncovered these issues through their bug bounty program, earning bounties of $537 to $716. Both vulnerabilities carry a critical CVSS score of 9.8, emphasizing the urgent need for action among site administrators.
Attack Mechanisms
Analyzing the attack logs reveals sophisticated tactics employed by the attackers. One prevalent payload, hosted on GitHub, includes obfuscated PHP scripts designed to mimic legitimate plugins such as All in One SEO. These scripts are programmed for admin takeovers, file management, uploading malware, and launching mass defacement attacks.
Another favored tactic involves the installation of wp-query-console to instigate a chain of exploits. Wordfence’s firewall has blocked over 8.75 million attack attempts since the rules were introduced in September 2024, with a significant spike recorded on October 8-9, 2025.
Coordinated Botnet Activity
A closer examination of the sources behind these attacks reveals coordinated botnet activity. Top offending IPs, such as 3.141.28.47 and 13.218.47.110, have been responsible for staggering numbers of blocks—349,900 and 82,900 respectively. This level of activity suggests well-organized efforts on the part of cybercriminals. To manage risks effectively, Wordfence has implemented prioritized protection for premium users, with free versions receiving updates after a 30-day delay.
Recommendations for WordPress Users
In light of these developments, site administrators are urged to act swiftly. Upgrading to GutenKit version 2.1.1 and Hunk Companion version 1.9.0 is imperative. Additionally, enabling firewalls such as Wordfence can help combat API abuse and fortify defenses against potential breaches. Regular audits of installed plugins for suspicious activity are likewise highly recommended.
Wordfence stresses that unpatched sites remain prime targets, even a year after the vulnerabilities were disclosed. This persistence underscores the ongoing threat posed by cyber adversaries exploiting outdated software.
Indicators of Compromise (IoCs)
For those concerned about potential exposure, here are some key indicators of compromise:
Suspicious Requests
/wp-json/gutenkit/v1/install-active-plugin/wp-json/hc/v1/themehunk-import
Suspicious IP Addresses
Notable IPs associated with these attacks include:
- 3.141.28.47
- 13.218.47.110
- 52.56.47.51
- 3.10.141.23
- And several others noted in extensive logs.
Common Malicious Plugin Directories
Several paths indicate potential malicious activity:
/up / up.zip/background-image-cropper / background-image-cropper.zip/ultra-seo-processor-wp / ultra-seo-processor-wp.zip/oke / oke.zip
Legitimate Plugin Directory
A legitimate plugin that has been exploited:
/wp-query-console
Involved Domains
A list of domains associated with these attacks includes:
ls.fatec[.]infodari-slideshow[.]ruzarjavelli[.]ru- And many others as detailed in cybersecurity intelligence reports.
By staying vigilant and proactive, WordPress users can mitigate the risks posed by these ongoing exploit attempts.
