Application security, Vulnerability Management, Patch/Configuration Management, Third-party code

Hackers actively exploiting year-old flaws in WordPress plug-ins

Three critical WordPress plug-in flaws have been exploited by attackers since Oct. 8, roughly one year after the flaws were originally identified.

In an Oct. 23 blog post, Wordfence reported that the flaws were vulnerabilities in the GutenKit and Hunk Companion plug-ins make it possible for unauthenticated threat actors to install and activate arbitrary plugins to achieve remote code execution.

The GutenKit plug-in functions as a page builder for the default Gutenberg block editor in WordPress, while Hunk Companion helps developers add features and customization settings while building WordPress sites. There are more than 40,000 GutenKit sites, and 8,000 Hunk Companion sites.

According to the Wordfence blog, its firewall has blocked nearly 9 million exploit attempts targeting these vulnerabilities, CVE-2024-9234, CVE-2024-9707, and CVE-2024-11972. Despite these effective defenses, security pros said teams should patch the three flaws in the plug-ins right away.

“Since October 8, attackers have been actively exploiting missing capability checks in the REST API of the GutenKit and Hunk Companion WordPress plugins,” said Randolph Barr, chief information security officer at Cequence Security. “These are critical vulnerabilities, and while patches are available, many organizations may still be exposed.”

Barr added that what often makes this type of incident risky is that WordPress environments are frequently managed by marketing or communications teams rather than IT or security organizations. Unless a company has a strong third-party vulnerability management process in place, Barr said it’s important to connect with the organization's marketing or web team immediately and confirm that these plug-ins have been patched or removed.

Vineeta Sangaraju, security solutions engineer at Black Duck, added that the fact that three critical vulnerabilities in these open-source plugins for one of the most popular content management systems are being mass-exploited a full year after discovery and patching highlights a troubling industry reality: open-source still gets treated as “set and forget.”

“Our recent report shows that open-source component usage has tripled in just four years, and that 90% of applications contain open-source software that’s, on average, 10 versions behind current releases,” Sangaraju said.  “This heavy dependence, coupled with lapses in critical maintenance, continues to expose organizations to unnecessary risk. The estimated 9 million exploit attempts against WordPress sites in October 2025 alone suggest attackers are capitalizing on the industry’s neglectful attitude toward open source.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds