Unauthenticated Arbitrary Plugin Installation and File Upload in GutenKit for WordPress
CVE-2024-9234 affects the GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor plugin for WordPress in all versions up to and including 2.1.0. The vulnerability is caused by a missing capability check in the install_and_activate_plugin_from_external() function exposed through the install-active-plugin REST API endpoint. Because the endpoint does not properly verify that the caller has sufficient privileges, an unauthenticated remote attacker can invoke functionality intended for administrative plugin management. This allows installation and activation of arbitrary plugins from an external source, and the same functionality can be abused to upload arbitrary files disguised as plugins. Given WordPress plugin installation semantics, this can lead directly to execution of attacker-supplied PHP code on the target site.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).
This repository contains a Python proof-of-concept exploit for CVE-2024-9234, targeting the WordPress GutenKit plugin (version 2.1.0 and below). The exploit consists of a single script (CVE-2024-9234.py) and a README file. The script first checks if the target WordPress site is running the vulnerable GutenKit plugin by requesting the plugin's readme.txt file and verifying the version. If the site is vulnerable, it then exploits an unauthenticated endpoint ('/wp-json/gutenkit/v1/install-active-plugin') to upload and install a plugin (in this case, 'popularis-extra.1.2.6.zip' from the official WordPress repository) without authentication. This demonstrates the ability to perform arbitrary file uploads, which could be further weaponized by uploading a malicious plugin or webshell. The exploit is network-based and requires only the base URL of the target WordPress site as input.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A critical remote code execution vulnerability in the GutenKit WordPress plugin due to missing capability checks, allowing arbitrary file uploads.
WordPress plugin vulnerability (GutenKit/Hunk Companion context) used in mass exploitation to enable unauthenticated plugin installation/activation leading to potential remote code execution.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.