In October 2025, cybersecurity analysts identified a significant exploitation campaign targeting critical vulnerabilities in two widely used WordPress plugins: GutenKit and Hunk Companion. These vulnerabilities, initially discovered in late 2024, have resurfaced, posing substantial risks to hundreds of thousands of websites globally.
Background on the Vulnerabilities
The GutenKit plugin, boasting over 40,000 active installations, and Hunk Companion, with approximately 8,000 users, have become prime targets due to their extensive adoption. The core issue lies in improper permission checks within their REST API endpoints. This flaw allows unauthenticated attackers to install malicious plugins, leading to remote code execution without requiring user credentials or interaction.
Details of the Exploitation
Analysts from the Wordfence Threat Response Unit observed a resurgence in exploitation attempts starting October 8, 2025, nearly a year after the initial disclosure. This indicates that threat actors continue to leverage these vulnerabilities for large-scale attacks. The Wordfence Firewall has intercepted over 8,755,000 exploit attempts targeting these flaws since deploying protective rules.
The attack infrastructure is notably organized, deploying multiple malicious payloads designed for persistence and lateral movement within compromised systems. Researchers have identified that attackers distribute heavily obfuscated backdoors, file managers, and web shells capable of mass defacement, network reconnaissance, and terminal access.
Technical Analysis of the Vulnerabilities
The fundamental issue stems from a critical misconfiguration in REST API endpoint registration. Both plugins implement permission callbacks that unconditionally permit unauthenticated requests by returning true values, effectively disabling access controls entirely.
– GutenKit: The vulnerable endpoint routes to the `install_and_activate_plugin_from_external()` function via the `gutenkit/v1/install-active-plugin` endpoint.
– Hunk Companion: Exposes similar functionality through the `hc/v1/themehunk-import` endpoint.
Attackers exploit these endpoints by sending POST requests with arbitrary plugin URLs hosted on external repositories, such as GitHub or attacker-controlled domains. Upon receiving these requests, the server downloads and extracts the specified ZIP archive directly into the `wp-content/plugins` directory without validating the plugin’s authenticity or code integrity.
Malicious packages often contain obfuscated PHP scripts with headers mimicking legitimate plugins like All in One SEO to evade detection. Additionally, they may include base64-encoded file managers and backdoors disguised with PDF headers, enabling complete system compromise.
Implications for Website Administrators
The automatic execution and activation of these malicious plugins grant attackers direct command execution capabilities. This access allows them to install additional malware, modify website content, and establish persistent access mechanisms, posing severe risks to website integrity and user data.
Recommendations for Mitigation
Website administrators are strongly advised to take the following actions:
1. Update Plugins: Immediately update GutenKit to version 2.1.1 and Hunk Companion to version 1.9.0, as these versions contain patches addressing the vulnerabilities.
2. Audit Plugin Directories: Review the `wp-content/plugins` and `wp-content/upgrade` directories for any suspicious installations or files that may indicate compromise.
3. Monitor Access Logs: Examine server access logs for requests to the `/wp-json/gutenkit/v1/install-active-plugin` and `/wp-json/hc/v1/themehunk-import` endpoints, which may signal exploitation attempts.
4. Implement Firewall Rules: Configure firewall rules to restrict API access to authenticated users only, thereby mitigating the risk of unauthorized exploitation.
Conclusion
The resurgence of exploitation attempts targeting these vulnerabilities underscores the persistent threat posed by unpatched WordPress installations. Proactive measures, including timely updates and vigilant monitoring, are essential to safeguard websites against such attacks.
