Three critical-severity vulnerabilities within the GutenKit and Hunk Companion WordPress plugins have been exploited in a brand new marketing campaign, Defiant warns.
Mass exploitation of the safety defects began on October 8, with roughly 9 million exploit makes an attempt blocked by the WordPress safety agency over a two-week interval, and follows beforehand recognized large-scale campaigns focusing on the identical bugs.
GutenKit variations previous to 2.1.1 are affected by CVE-2024-9234, a lacking functionality test subject resulting in arbitrary file uploads. The flaw permits attackers to put in and activate arbitrary plugins or add information masquerading as plugins.
Hunk Companion variations previous to 1.8.4 and 1.8.5 are weak to unauthorized plugin set up/activation as a consequence of two lacking functionality test vulnerabilities within the ‘themehunk-import’ REST API endpoint.
Tracked as CVE-2024-9707 and CVE-2024-11972, the issues enable unauthenticated attackers to put in plugins and obtain distant code execution by means of different weak plugins.
As a part of the current assaults focusing on the three safety defects, the risk actor has distributed a malicious ZIP file posing as a plugin, which is hosted on GitHub.
The file comprises a number of scripts that act as backdoors, and makes an attempt to determine persistence. A script within the archive permits attackers to mechanically log in as directors.
The ZIP additionally contains scripts that change file permissions, permitting the attackers to obtain and examine information, and to archive whole folders into ZIP information. Different file add/supervisor scripts are additionally included within the code.
One other file within the archive is a instrument able to mass defacement, community sniffing, and file administration. It additionally has distant code execution performance, permitting the attackers to deploy extra payloads.
GutenKit and Hunk Companion have over 40,000 and eight,000 lively installations, respectively. Though the exploited vulnerabilities have been patched over a yr in the past, they proceed to signify engaging targets for risk actors, because the contemporary marketing campaign reveals.
Website directors are suggested to replace their plugins to the newest, patched variations, and to overview the indications of compromise (IOCs) shared by Defiant to establish potential compromise.
Associated: Flaw Permitting Web site Takeover Present in WordPress Plugin With 400k Installations
Associated: Hackers Inject Malware Into Gravity Kinds WordPress Plugin
Associated: Forminator WordPress Plugin Vulnerability Exposes 400,000 Web sites to Takeover
Associated: Motors Theme Vulnerability Exploited to Hack WordPress Web sites
