CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Mass Exploitation Campaign Targets Outdated WordPress Plugins

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

A widespread campaign is exploiting outdated WordPress plugins GutenKit and Hunk Companion, targeting critical vulnerabilities to achieve remote code execution (RCE). The campaign, which began on October 8, 2025, exploited three critical-severity flaws in the plugins, affecting over 48,000 installs. Attackers use malicious plugins hosted on GitHub to maintain persistence, steal data, and execute commands on compromised sites. Wordfence has blocked nearly 8.8 million exploitation attempts. The vulnerabilities were patched in October and December 2024, but many sites remain unpatched.

Timeline

  1. 24.10.2025 22:28 2 articles · 3d ago

    Mass Exploitation Campaign Targets Outdated WordPress Plugins

    The campaign affected over 40,000 active installations of GutenKit and 8,000 active installations of Hunk Companion. Wordfence discovered the vulnerabilities via its bug bounty program on September 25 and October 3, 2024. Wordfence has blocked nearly 8.8 million exploitation attempts. The vulnerabilities allow threat actors to hijack targeted sites by uploading PHP files and executing malicious code on the server.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Active Exploitation of Unpatched Gladinet and TrioFox Vulnerability

Active exploitation of an unpatched security flaw in Gladinet CentreStack and TrioFox products continues. The zero-day vulnerability, CVE-2025-11371, is an unauthenticated local file inclusion bug that allows unintended disclosure of system files. This flaw affects all versions prior to and including 16.7.10368.56560. The vulnerability has been exploited to retrieve the machine key from the application Web.config file, enabling remote code execution via a ViewState deserialization vulnerability. Three customers have been impacted so far. A patch for the zero-day vulnerability CVE-2025-11371 is now available in CentreStack version 16.10.10408.56683. Users are advised to upgrade to this version or, if upgrading is not possible, disable the "temp" handler within the Web.config file for UploadDownloadProxy to mitigate the risk. The vendor, Gladinet, has been notified and is working on a fix. The vulnerability was detected by researchers at Huntress on September 27, 2025. The flaw was exploited to obtain a machine key and execute code remotely. The attack used an older deserialization vulnerability (CVE-2025-30406) to achieve remote code execution (RCE) through ViewState. The mitigations will impact some functionality of the platform but prevent exploitation of CVE-2025-11371.

Open in new tab

Active exploitation of authentication bypass in Service Finder WordPress theme

Threat actors are actively exploiting a critical vulnerability in the Service Finder WordPress theme, allowing them to bypass authentication and gain administrative access. The flaw, tracked as CVE-2025-5947, affects versions 6.0 and older and has been exploited since September 2025. The vulnerability is present in the Service Finder Bookings plugin bundled with the Service Finder theme. Over 13,800 exploitation attempts have been recorded since August 2025, with a surge of over 1,500 attempts daily in late September. The flaw affects over 6,100 customers using the theme. Administrators are advised to update to version 6.1 or stop using the theme to mitigate the risk.

Open in new tab

Meteobridge Command Injection Vulnerability Exploited in the Wild

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has flagged a high-severity command injection vulnerability (CVE-2025-4008) in Smartbedded Meteobridge as actively exploited in the wild. The flaw, with a CVSS score of 8.7, allows remote unauthenticated attackers to execute arbitrary code with elevated privileges on affected devices. The vulnerability resides in the Meteobridge web interface, specifically in the template.cgi script, which is vulnerable due to insecure use of eval calls. The flaw was discovered and reported by ONEKEY in February 2025 and was addressed in Meteobridge version 6.2, released on May 13, 2025. The vulnerability can be exploited through specially crafted requests and malicious webpages, posing a significant risk to users. Federal Civilian Executive Branch (FCEB) agencies are required to apply necessary updates by October 23, 2025, to mitigate the risk.

Open in new tab

Active exploitation of critical SessionReaper flaw in Adobe Commerce and Magento Open Source

Adobe Commerce and Magento Open Source platforms are under active exploitation by hackers targeting the critical SessionReaper vulnerability (CVE-2025-54236). The flaw, with a CVSS score of 9.1, allows unauthenticated attackers to take control of customer accounts through the Commerce REST API. The patch was released on September 9, 2025, following an emergency notification to selected customers on September 4, 2025. Despite the patch, hundreds of exploitation attempts have been recorded, with many stores remaining unpatched. Adobe Commerce on Cloud customers are already protected by a WAF rule. The patch disables certain internal Magento functionalities, potentially affecting custom or external code. The vulnerability impacts multiple versions of Adobe Commerce, Adobe Commerce B2B, and Magento Open Source, as well as the Custom Attributes Serializable module. Over 250 Magento stores were hit overnight as hackers exploited the flaw, with attacks originating from five specific IP addresses. The attacks involved dropping PHP webshells or probing phpinfo to extract PHP configuration information. Exploitation activity for SessionReaper began on October 23, 2025, coinciding with the release of a proof-of-concept exploit. The threat activity has extended to 97 different IP addresses, indicating multiple actors are running mass scanners. Sansec advises that the window for safe patching has effectively closed and expects mass exploitation within the next 48 hours.

Open in new tab