—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple vulnerabilities in Hunk Companion and GutenKit plugin for WordPress 

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: CRITICAL

Software Affected

WordPress Plugin GutenKit versions 2.1.0 and prior

WordPress Plugin Hunk Companion versions 1.8.5 and prior

Overview

Multiple vulnerabilities have been reported in Hunk Companion and GutenKit plugin for WordPress which could allow an unauthenticated attacker to execute arbitrary code on the targeted system.

Target Audience:

Users of affected WordPress Plugins.

Risk Assessment:

High risk of unauthorised access.

Impact Assessment:

Potential for arbitrary code execution.

Description

Hunk Companion and GutenKit are WordPress plugins commonly used to enhance website design and page-building functionality within WordPress.

The vulnerability in the GutenKit plugin exists because its REST API endpoint lacks proper validation, allowing unauthenticated arbitrary file upload via /wp-json/gutenkit/v1/install-active-plugin. The vulnerability in the Hunk Companion plugin is due to a missing capability/authorization check on the /wp-json/hc/v1/themehunk-import REST.

Successful exploitation of these vulnerabilities could allow an unauthenticated attacker to execute arbitrary code on the targeted system.

Note: These vulnerabilities are being exploited in the wild.

Solution

Apply appropriate updates as mentioned:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/hunk-companion/hunk-companion-184-missing-authorization-to-unauthenticated-arbitrary-plugin-installationactivation

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/gutenkit-blocks-addon/gutenkit-210-unauthenticated-arbitrary-file-upload

Vendor Information

Hunk Companion

https://wordpress.org/plugins/hunk-companion/

Gutenkit

https://wordpress.org/plugins/gutenkit-blocks-addon/

References

WordFence

https://www.wordfence.com/blog/2025/10/mass-exploit-campaign-targeting-arbitrary-plugin-installation-vulnerabilities/

BleepinComputer

https://www.bleepingcomputer.com/news/security/hackers-launch-mass-attacks-exploiting-outdated-wordpress-plugins/

CVE Name

CVE-2024-9234

CVE-2024-9707

CVE-2024-11972

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmkMoK4ACgkQ3jCgcSdc

ys9B3hAAqCCgDmI1tPpxRXjMacAzpoy0ogxAkJbAeumMY2muJTj68rIJtTpxAqqW

7uNGv4JUHWmGV6PIM236CmzXQzcQH/5KXbZYIQfKvhYPT3ljyT0ZHmnjrVqGgR8A

I70srrkHUuo+CukxXDND6AX1NKzJ9FyoqvoMR7RoIf0Y+yDOuQW9wm0VFklx6PDN

9ohKYGaIGnJWJPytrV49yxNtZGIhNvskfhQXUU8MolpIyADDnpIEolpYvKPv6yCi

t86AWlBHyEkH6fiAWBCjoPHt6TouHh9IkILP81dtThvfX0wsPwoPDUCpyP8vfhKy

4kpHKCeo9pXiIvAovinFLKh0SRSwpQeCWH4Q7BxddemxeGgcAV6A1Am2qhEekzZu

Jj7uLU7RBWTmkyARsELbumdtn3/WL3x3xr6nQ1PDyemm562t6aDSF8iv5PO/ibRn

MNeLaFxpF+3Bsx476shR64sbmqke6d/C6wBerxlFmqvs/WXk9lMS2mpHwSJabHY3

R+hDnY8Tf5hLt9Hfpc/w1NUFOFTZLvlnFJWIbxLUO/TPBuJeIV0jghkf9Z6mOkkY

0Z62sPU/re2uVW5hNHd7Rwu2aoknURRcTE7RmN6nlPd7imMmecWzr+/0qycGh2F3

T0s2GKe7G0emQw+ELoMft7OMtlhzw0UPx/y1LEECi8wyU6kjTLA=

=hQTQ

—–END PGP SIGNATURE—–