CVE-2024-9234

CRITICAL EXPLOITED NUCLEI

GutenKit < 2.1.0 - Unauthenticated Arbitrary File Upload via install-active-plugin Endpoint

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2024-9234 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 3 public exploits from researchers including RandomRobbieBF, Nxploited, Boshe99. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC demonstrates an unauthenticated arbitrary file upload vulnerability in GutenKit <= 2.1.0 via the `install-active-plugin` REST API endpoint, allowing attackers to install and activate arbitrary plugins.

Description

The GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the install_and_activate_plugin_from_external() function (install-active-plugin REST API endpoint) in all versions up to, and including, 2.1.0. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins, or utilize the functionality to upload arbitrary files spoofed like plugins.

Exploits (3)

nomisec WORKING POC 2 stars
by RandomRobbieBF · remote
https://github.com/RandomRobbieBF/CVE-2024-9234

This PoC demonstrates an unauthenticated arbitrary file upload vulnerability in GutenKit <= 2.1.0 via the `install-active-plugin` REST API endpoint, allowing attackers to install and activate arbitrary plugins.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor <= 2.1.0
No auth needed
Prerequisites: WordPress site with GutenKit plugin <= 2.1.0 installed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by Nxploited · remote
https://github.com/Nxploited/CVE-2024-9234

This PoC exploits an unauthenticated arbitrary file upload vulnerability in GutenKit <= 2.1.0 by leveraging the `/wp-json/gutenkit/v1/install-active-plugin` endpoint to install a plugin without authentication. The script first checks for the vulnerable plugin version before attempting the exploit.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: GutenKit WordPress plugin <= 2.1.0
No auth needed
Prerequisites: Target must have GutenKit plugin <= 2.1.0 installed · Target must be a WordPress site
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC
by Boshe99 · pythonpoc
https://github.com/Boshe99/CVE-Exploits/tree/main/CVE-2024-9234

The repository contains functional exploit code for CVE-2024-9234, targeting a WordPress plugin (3DPrint Lite 1.9.1.4) with an arbitrary file upload vulnerability. The Python script demonstrates the ability to upload a malicious file to a vulnerable target.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: WordPress Plugin 3DPrint Lite 1.9.1.4
No auth needed
Prerequisites: Vulnerable WordPress plugin installed · Network access to the target
devstral-2 · analyzed Feb 27, 2026 Full analysis →

Nuclei Templates (1)

GutenKit <= 2.1.0 - Arbitrary File Upload
CRITICALVERIFIEDby s4e-io
FOFA: body="wp-content/plugins/gutenkit-blocks-addon"

References (4)

Core 4

Scores

CVSS v3 9.8
EPSS 0.1043
EPSS Percentile 95.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2025-04-23
CWE
CWE-862
Status published
Products (1)
ataurr/GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor < 2.1.0
Published Oct 11, 2024
Tracked Since Feb 18, 2026