Between July 4th and July 8th, the Wordfence firewall successfully blocked a massive wave of 8.7 million attacks aimed at 1.8 million websites. The attackers sought to exploit two known, yet unpatched on many sites, vulnerabilities in popular WordPress plugins: GutenKit – Templates and Blocks Builder and Hunk Companion.
The campaign was orchestrated from a network of 2,360 distinct IP addresses, highlighting a coordinated effort to compromise a large number of WordPress installations running outdated versions of these plugins.
Exploited Plugin Vulnerabilities
The attackers focused on two specific critical vulnerabilities, both of which allow for unauthenticated arbitrary file uploads. This type of flaw enables an attacker to upload malicious files to a target server without needing to log in or have any prior privileges.
The first vulnerability, tracked as CVE-2024-2032, affects versions of GutenKit – Templates and Blocks Builder up to 1.3.6. This security issue was originally patched by the developer in January 2024. The second vulnerability, CVE-2024-34537, impacts Hunk Companion versions up to 2.5.7 and was patched in May 2024. Despite patches being available for months, many sites remained vulnerable.
Attack Objective and Methodology
The primary goal of the attack campaign was to gain complete administrative control over the targeted websites. Attackers attempted to upload malicious PHP files, including files named wp-xmlrpc.php and r.php, to the compromised sites. The uploaded scripts were designed to create new administrator accounts. Analysis shows the malicious code was specifically programmed to create admin users with usernames such as ‘wp_administrator’ and ‘wpservices’. By creating these unauthorized accounts, the attackers could achieve full site takeover. Wordfence firewall rules protected users by blocking these malicious file upload attempts.
Concise Cyber 