CVE-2024-9234
📋 TL;DR
This vulnerability allows unauthenticated attackers to upload arbitrary files and install/activate arbitrary plugins on WordPress sites using the GutenKit plugin. It affects all WordPress installations with GutenKit plugin versions up to 2.1.0. Attackers can gain full control of vulnerable websites.
💻 Affected Systems
- GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete site takeover with remote code execution, data theft, defacement, and malware distribution.
Likely Case
Backdoor installation leading to persistent access, credential theft, and site compromise.
If Mitigated
Limited impact if proper network segmentation and file integrity monitoring are in place.
🎯 Exploit Status
Simple HTTP request to REST API endpoint with crafted plugin file. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.1
Vendor Advisory: https://plugins.trac.wordpress.org/browser/gutenkit-blocks-addon/tags/2.1.1/includes/Admin/Api/ActivePluginData.php?rev=3164886
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find GutenKit plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 2.1.1 from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable REST API endpoint
allBlock access to the vulnerable REST API endpoint
Add to wp-config.php: define('DISABLE_WP_REST_API', true);
Deactivate plugin
linuxTemporarily disable the GutenKit plugin
wp plugin deactivate gutenkit-blocks-addon
🧯 If You Can't Patch
- Block external access to WordPress admin and REST API endpoints using WAF or firewall rules
- Implement file integrity monitoring on wp-content/plugins directory
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin panel under Plugins → Installed Plugins. If version is 2.1.0 or lower, site is vulnerable.Check Version:
wp plugin get gutenkit-blocks-addon --field=versionVerify Fix Applied:
Confirm plugin version is 2.1.1 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-json/gutenkit/v1/install-active-plugin
- Unauthorized plugin installation attempts
- Unexpected files in wp-content/plugins directory
Network Indicators:
- HTTP requests to WordPress REST API endpoints from unexpected sources
- Unusual plugin installation traffic
SIEM Query:
source="wordpress.log" AND ("install-active-plugin" OR "gutenkit/v1" OR "plugin installation")🔗 References
- https://github.com/WordPressBugBounty/plugins-gutenkit-blocks-addon/blob/dc3738bb821cf1d93a11379b8695793fa5e1b9e6/gutenkit-blocks-addon/includes/Admin/Api/ActivePluginData.php#L76
- https://plugins.trac.wordpress.org/browser/gutenkit-blocks-addon/tags/2.1.0/includes/Admin/Api/ActivePluginData.php?rev=3159783#L76
- https://plugins.trac.wordpress.org/browser/gutenkit-blocks-addon/tags/2.1.1/includes/Admin/Api/ActivePluginData.php?rev=3164886
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e44c5dc0-6bf6-417a-9383-b345ff57ac32?source=cve
