CVE-2024-9234

CRITICAL EXPLOITED NUCLEI

GutenKit - Unauthenticated RCE

Title source: llm

Description

The GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the install_and_activate_plugin_from_external() function (install-active-plugin REST API endpoint) in all versions up to, and including, 2.1.0. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins, or utilize the functionality to upload arbitrary files spoofed like plugins.

Exploits (3)

nomisec WORKING POC 2 stars

by RandomRobbieBF · remote

https://github.com/RandomRobbieBF/CVE-2024-9234

View Code ZIP pw:eip

nomisec WORKING POC 1 stars

by Nxploited · remote

https://github.com/Nxploited/CVE-2024-9234

View Code ZIP pw:eip

github WORKING POC

by Boshe99 · pythonpoc

https://github.com/Boshe99/CVE-Exploits/tree/main/CVE-2024-9234

View Code ZIP pw:eip

Nuclei Templates (1)

GutenKit <= 2.1.0 - Arbitrary File Upload

CRITICALVERIFIEDby s4e-io

FOFA: body="wp-content/plugins/gutenkit-blocks-addon"

References (4)

[Product] https://plugins.trac.wordpress.org/browser/gutenkit-blocks-addon/tags/2.1.0/includes/Admin/Api/ActivePluginData.php?rev=3159783#L76

[Product] https://plugins.trac.wordpress.org/browser/gutenkit-blocks-addon/tags/2.1.1/includes/Admin/Api/ActivePluginData.php?rev=3164886

[Various Sources] https://github.com/WordPressBugBounty/plugins-gutenkit-blocks-addon/blob/dc3738bb821cf1d93a11379b8695793fa5e1b9e6/gutenkit-blocks-addon/includes/Admin/Api/ActivePluginData.php#L76

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/e44c5dc0-6bf6-417a-9383-b345ff57ac32?source=cve

Scores

CVSS v3 9.8

EPSS 0.9295

EPSS Percentile 99.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitation Intel

VulnCheck KEV 2025-04-23

Classification

CWE

CWE-862

Status draft

Timeline

Published Oct 11, 2024

Tracked Since Feb 18, 2026