Fast Facts

• 8.7 million WordPress attack attempts were recorded over just 48 hours in early October 2024.
• Attackers exploited critical flaws in GutenKit and Hunk Companion plugins, affecting tens of thousands of sites.
• Three vulnerabilities, each rated at the highest danger level (CVSS 9.8), allowed hackers to take control remotely.
• The flaws let attackers install malicious plugins and execute code as if they owned the website.
• Wordfence, a major WordPress security provider, first reported the mass attack campaign.

The Perfect Storm: How Millions of Websites Were Laid Bare

Imagine a fortress city with open gates – that’s what 8.7 million WordPress sites became in early October, as hackers swept through exploiting critical cracks in popular plugins. The assault, swift and surgical, targeted vulnerabilities in GutenKit and Hunk Companion, two widely used add-ons that extend WordPress’s functionality. But these digital add-ons carried flaws so severe that security experts ranked them at the very top of the danger scale.

At the heart of the chaos were three vulnerabilities, cataloged as CVE-2024-9234, CVE-2024-9707, and CVE-2024-11972. All three shared a common weakness: they failed to check who was knocking at the door. This oversight let attackers install any plugin - including malicious ones - without needing a password or any authorization. Once inside, hackers could run commands and take over the site, turning trusted pages into tools for scams, malware, or even larger cyber offensives.

Why Plugins Are Both Power and Peril

WordPress powers more than 40% of the world’s websites, from personal blogs to major businesses. Its secret weapon is its ecosystem of plugins - small software add-ons that provide everything from contact forms to e-commerce. But each plugin is also a potential weak spot. As this campaign shows, a single flaw can turn millions of sites into easy prey.

The vulnerabilities exploited here were found in the REST API endpoints of the plugins. Think of REST API as a backdoor for apps to talk to your site. If left unguarded, it becomes a welcome mat for attackers. The GutenKit flaw affected over 40,000 sites, while Hunk Companion’s issues threatened another 8,000. Combined, they created a massive attack surface ripe for exploitation.

Echoes of Attacks Past - And a Growing Industry Problem

This is far from the first time WordPress sites have been hit by plugin flaws. In 2021, the notorious “WP File Manager” bug let hackers compromise over 700,000 sites. Each wave of attacks chips away at trust in the platform and highlights the race between plugin developers and cybercriminals. As open-source software, WordPress relies on rapid community patching - but with thousands of plugins, keeping up is a Sisyphean task.

Security firms like Wordfence and Sucuri regularly report mass exploit campaigns, often linked to criminal groups seeking to hijack web traffic, steal data, or build botnets. Some analysts suggest that such vulnerabilities can even be leveraged in geopolitical conflicts, where control of online narratives and infrastructure is at stake.

WIKICROOK

• WordPress: WordPress is a popular platform that lets users build and manage websites or blogs easily, without needing to know how to code.
• Plugin: A plugin is a small software add-on that extends the features of a main application, but may also introduce new security vulnerabilities.
• Vulnerability (CVE): A Vulnerability (CVE) is a publicly listed security flaw in software or hardware that attackers can exploit if left unpatched.
• REST API: A REST API is a set of rules that lets different software systems communicate over the internet, acting like a translator between websites and apps.
• Remote Code Execution (RCE): Remote Code Execution (RCE) is when an attacker runs their own code on a victim’s system, often leading to full control or compromise of that system.