cbcvebase.
CVE-2024-9234
published 2024-10-11

CVE-2024-9234: The GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor plugin for WordPress is vulnerable to arbitrary file uploads due to a…

PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
10.43%
95.2th percentile
The GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the install_and_activate_plugin_from_external() function (install-active-plugin REST API endpoint) in all versions up to, and including, 2.1.0. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins, or utilize the functionality to upload arbitrary files spoofed like plugins.

Detection & IOCsextracted from sources · hover to see the quote

url/wp-json/gutenkit/v1/install-active-plugin
path/up
path/background-image-cropper
path/ultra-seo-processor-wp
path/oke
path/wp-query-console
filenameup.zip
commandPOST /wp-json/gutenkit/v1/install-active-plugin HTTP/1.1
  • Monitor WordPress access logs for POST requests to the unauthenticated REST endpoint /wp-json/gutenkit/v1/install-active-plugin, which is the direct attack vector for CVE-2024-9234.
  • Check WordPress plugin directories for unexpected folders named /up, /background-image-cropper, /ultra-seo-processor-wp, /oke, and /wp-query-console as indicators of post-exploitation plugin drops.
  • Detect the malicious 'up' ZIP archive being fetched from GitHub and installed as a plugin; it contains obfuscated scripts for file upload/download/delete and permission changes.
  • Look for a password-protected script disguised as a component of the All in One SEO plugin that automatically logs in the attacker as an administrator.
  • Use the Nuclei template matcher: a JSON response body containing both 'Failed to unzip plugin' and 'success":false' with HTTP 200 and Content-Type application/json confirms a vulnerable GutenKit endpoint.
  • Use the FOFA fingerprint query body="wp-content/plugins/gutenkit-blocks-addon" to identify WordPress sites running the GutenKit plugin for targeted scanning.
  • ·The vulnerability exists only in GutenKit versions up to and including 2.1.0; version 2.1.1 (released October 2024) contains the fix with proper capability checks.
  • ·The attack is unauthenticated — no credentials or session tokens are required to exploit the install-active-plugin REST endpoint, making mass exploitation trivial.
  • ·The Nuclei detection template is marked 'intrusive' as it sends a live exploit request to the target endpoint with an external callback URL.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.