Mass Exploitation of Critical RCE Flaws in WordPress GutenKit and Hunk Companion Plugins
Hackers have launched a large-scale exploitation campaign targeting WordPress websites using vulnerable versions of the GutenKit and Hunk Companion plugins. Security researchers report that over 8.7 million attack attempts were blocked in just two days, with attackers leveraging three critical vulnerabilities—CVE-2024-9234, CVE-2024-9707, and CVE-2024-11972—to achieve remote code execution (RCE) by installing arbitrary plugins without proper authentication or authorization. Despite patches being released for these flaws in late 2024, a significant number of websites remain unpatched and exposed to these attacks.
Threat actors are distributing a malicious plugin archive named 'up' via GitHub, which contains obfuscated scripts capable of uploading, downloading, and deleting files, as well as changing permissions on compromised sites. One script, disguised as a component of the All in One SEO plugin, enables attackers to automatically log in as administrators, facilitating persistence and further malicious activity. Website owners are urged to update to GutenKit 2.1.1 and Hunk Companion 1.9.0 or later to mitigate the risk of compromise from these ongoing mass exploitation attempts.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Wordfence reports blocking more than 8.7 million exploit attempts
Security reporting on the campaign said Wordfence blocked over 8.7 million attacks attempting to exploit the old GutenKit and Hunk Companion vulnerabilities. This quantified the scale of the ongoing mass exploitation activity.
Attackers launch mass exploitation of unpatched WordPress sites
By late October 2025, attackers were conducting large-scale attacks against WordPress sites running vulnerable versions of GutenKit and Hunk Companion. The campaign focused on exploiting outdated plugin installations rather than newly disclosed flaws.
GutenKit and Hunk Companion vulnerabilities were previously disclosed and patched
The mass exploitation campaign targeted older, already-known flaws in the WordPress plugins GutenKit and Hunk Companion. The references indicate these were outdated vulnerabilities affecting sites that had not applied available fixes.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Wordfence blocks 8.7M attacks exploiting old GutenKit and Hunk Companion flaws
securityaffairs.com
Open sourceCritical WordPress RCE Flaws Resurface: Over 8.7 Million Attacks Exploit GutenKit & Hunk Companion
securityonline.info
Open sourceHackers launch mass attacks exploiting outdated WordPress plugins
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical WordPress Plugin Flaws Expose Sites to File Upload, SQL Injection, and Takeover
Multiple **WordPress plugins** were flagged for severe vulnerabilities that could let attackers take over sites through unauthenticated file upload, SQL injection, arbitrary file deletion, and authorization bypass. References point to issues in plugins including **WP Duplicate**, **Ninja Forms File Upload**, **Ultimate Member**, **Product Addons for WooCommerce**, **CleanTalk Spam Protect**, **Ally**, **Perfmatters**, and **Kali Forms**, alongside identifiers such as **`CVE-2024-48930`**, **`CVE-2025-13192`**, and **`CVE-2026-1104`**. Several flaws were described as allowing arbitrary plugin installation, malicious file upload, or direct database manipulation, creating a path to remote code execution and full site compromise. Wordfence reports indicate the exposure spans **hundreds of thousands of WordPress sites**, with some bugs already under **active exploitation**. The most serious cases include an unauthenticated SQL injection flaw in the **Ally** plugin affecting roughly **400,000 sites**, an arbitrary file deletion issue in **Perfmatters** affecting about **200,000 sites**, and active attacks targeting a critical flaw in **Kali Forms**. Taken together, the disclosures show a broad wave of high-impact plugin security failures that increase the risk of website defacement, malware deployment, data theft, and administrator-level compromise across the WordPress ecosystem.
May 25, 2026
Critical WordPress Plugin Flaws Expose Sites to RCE and Privilege Escalation
Two high-severity vulnerabilities have been disclosed in widely deployed WordPress plugins, exposing internet-facing sites to **unauthenticated compromise**. `CVE-2026-3584` affects **Kali Forms** through version `2.4.9` and allows **remote code execution** because user-controlled input can be mapped into internal placeholder storage and later invoked via `call_user_func` in the `form_process` path. The issue is classified as `CWE-94` and carries a `CVSS 3.1` score with the vector `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`, indicating critical impact on confidentiality, integrity, and availability. A second flaw, `CVE-2026-4038`, affects **Aimogen Pro** through version `2.7.5` and enables **unauthenticated privilege escalation** through an arbitrary function call in `aiomatic_call_ai_function_realtime` caused by a missing capability check. According to the disclosure, attackers can invoke WordPress functions such as `update_option` to change the default registration role to administrator and enable user registration, effectively creating a path to full site takeover. The vulnerability is tracked as `CWE-862` and was likewise rated with a high-impact `CVSS 3.1` vector of `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`.
Mar 21, 2026
Critical Privilege Escalation and File Upload Vulnerabilities in King Addons for Elementor
More than 10,000 WordPress sites using the King Addons for Elementor plugin are at risk of total site compromise due to two critical vulnerabilities. The first flaw, an unauthenticated privilege escalation (CVE-2025-8489), allows attackers to register new accounts with administrator privileges by exploiting improper role restrictions in plugin versions 24.12.92 through 51.1.14. The second vulnerability, an unauthenticated arbitrary file upload (CVE-2025-6327), enables attackers to inject malicious files into various directories by abusing an AJAX handler's exposed nonce, further increasing the risk of site takeover. Security researchers from Patchstack and Wordfence have confirmed that both vulnerabilities are remotely exploitable and require no authentication, making them highly attractive targets for threat actors. Site administrators are strongly urged to update to patched versions of the plugin, which now include a role allowlist, improved input sanitization for account creation, and stricter file type validation in the upload handler. Immediate patching is recommended to prevent exploitation and potential full compromise of affected WordPress sites.
Mar 21, 2026