More than 150,000 WordPress websites are at risk due to multiple critical security flaws found in widely used plugins, prompting urgent calls for updates and stronger security practices.
Quick Summary – TLDR:
- Three critical CVEs in GutenKit and Hunk Companion plugins are being actively exploited.
- Over 8.8 million exploit attempts blocked by Wordfence, showing large-scale attacks.
- A flaw in the Anti-Malware Security plugin lets subscribers read sensitive server files.
- Patches have been released, but many sites remain unprotected.
What Happened?
Researchers at Wordfence have reported a surge in attacks exploiting severe security flaws in three WordPress plugins, potentially allowing remote code execution and unauthorized access to sensitive server files. One plugin vulnerability alone could let any subscriber-level user read critical site configuration data.
CVE-2025-4665 WordPress plugin Contact Form CFDB7 versions up to and including 1.3.2 are affected by a pre-authentication SQL injection vulnerability that cascades into insecure dese… https://t.co/aWW45vUO7M
— CVE (@CVEnew) October 29, 2025
Critical Flaws Affect Popular Plugins
Wordfence discovered three major vulnerabilities in the GutenKit and Hunk Companion plugins, which are installed on over 48,000 WordPress sites combined. These flaws allow unauthenticated attackers to install and activate arbitrary plugins, a method that can be used to upload malicious files and gain full control of the server.
Key CVEs in Exploitation:
- CVE-2024-9234: Found in GutenKit, this vulnerability allows attackers to upload arbitrary files disguised as plugins. It holds a CVSS score of 9.8, indicating critical severity.
- CVE-2024-9707 and CVE-2024-11972: These affect the Hunk Companion plugin and enable plugin installation and activation without authentication. The latter is a bypass of the former and has the same 9.8 CVSS score.
According to Wordfence, the campaign reemerged on October 8, and they’ve since blocked nearly 8.8 million attempts to exploit these vulnerabilities, underlining how aggressively attackers are targeting unpatched sites.
Wordfence has also released IP addresses and domains used by attackers to help defenders strengthen their network security.
Another Plugin Lets Subscribers Read Sensitive Files
In a separate incident, Wordfence identified a medium-severity vulnerability in the Anti-Malware Security and Brute-Force Firewall plugin, used by over 100,000 websites. Tracked as CVE-2025-11705, this bug lets authenticated users with subscriber-level access read arbitrary files on the server.
The issue stems from a missing authorization check in the plugin’s GOTMLS_ajax_scan() function. Despite having nonce protection, the function failed to validate user permissions, allowing low-level users to access critical files like wp-config.php, which holds database credentials and cryptographic keys.
Details on the Vulnerability:
- CVE ID: CVE-2025-11705
- CVSS Score: 6.5 (Medium)
- Affected Versions: Up to 4.23.81
- Patched Version: 4.23.83
- Discovered By: Security researcher Dmitrii Ignatyev
- Disclosure Date: October 3, 2025
- Patch Release: October 15, 2025
Although this flaw requires an account to exploit, many sites allow public user registration, especially for comments or community features. This makes a large number of sites potentially vulnerable if left unpatched.
Wordfence confirmed no active exploitation so far but warned that public disclosure may attract attacks. They also noted that over 50,000 site owners have already updated to the patched version, leaving a significant number still exposed.
SQ Magazine Takeaway
Honestly, this is a big wake-up call. I get that plugin updates can be a hassle, especially when you’re managing a bunch of sites. But ignoring them opens the door wide for attackers to walk right in. The fact that unauthenticated users could install rogue plugins or that regular subscribers could peek into your config files? That’s a huge deal. If your site runs any of these plugins, update them now. And if you allow user registration, keep an even closer eye. It’s not just about patches. It’s about being proactive and staying secure.
