Millions of attacks hit WordPress websites - here's how to make sure you stay safe

News
By published

Three old WordPress vulnerabilities are being exploited

Person editing a WordPress site
Image credit: Pixabay (Image credit: Pixabay)
  • Unpatched GutenKit and Hunk Companion plugins exploited in mass WordPress attacks
  • Attackers use ‘up’ plugin to gain admin access and deploy malware
  • Wordfence blocked 8.7 million attempts in 48 hours; updates remain critical

Three critical-severity vulnerabilities, found in two WordPress plugins and fixed more than a year ago, are now being exploited in mass attacks against websites which still haven’t patched the issues.

WordPress security experts Wordfence said it blocked more than 8.7 million attack attempts over the course of roughly 48 hours utilizing GutenKit and Hunk Companion.

The former extends Gutenberg by adding dozens of extra blocks, templates, and layout tools, while the latter is a “helper” plugin for ThemeHunk themes that adds sections like “team”, “services”, “portfolio”, “sliders”, and more.

Malicious payload on GitHub

Between October and December 2024, three flaws were found - and patched - in the plugins: CVE-2024-9234, CVE-2024-9707, and CVE-2024-11972. All three were rated critical (9.8/10), and allow threat actors to install arbitrary plugins and run malicious code on vulnerable sites.

Now, threat actors are taking advantage of the fact that many sites are not that diligent when it comes to applying fixes.

Wordfence says the hackers are using the vulnerabilities to install a malicious plugin called ‘up’, that’s being hosted as a .ZIP archive on GitHub.

The plugin allows the threat actors to upload, download, or delete files from the site, as well as to tamper with the site’s permissions. It also allows the threat actor to automatically log into the vulnerable website as an administrator.

Wordfence also says that between other things, the attackers are using ‘up’ to set up persistence, steal information, and drop additional malware.

Being the world’s number one website builder platform, WordPress is a popular target among cybercriminals. However, since it is generally considered safe, the attackers usually go for themes and plugins, since these are often vulnerable, or lose support.

The best way to mitigate the risk is to only keep the plugins and themes you are actually using, and to make sure they are updated at all times.

Via BleepingComputer

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.