Find notable cyber news and cases, enriched with sources, timelines, and signals.

WordPress plugin exploitation wave (GutenKit and Hunk Companion)

Exploitation Wave
First reported
Last updated
Happening score
H score 55
1 unique sources, 1 articles

Summary

Hide ▲

WordPress sites are facing a broad exploitation wave against GutenKit and Hunk Companion plugin flaws, with Wordfence blocking 8.7 million attack attempts on October 8 and 9. The campaign abuses CVE-2024-9234, CVE-2024-9707, and CVE-2024-11972, all critical (CVSS 9.8), to install arbitrary plugins and chain into remote code execution (RCE). Attackers have also used a GitHub-hosted malicious plugin archive called 'up' to support persistence, file theft, command execution, and admin takeover. Defenders are advised to watch for suspicious requests such as /wp-json/gutenkit/v1/install-active-plugin and /wp-json/hc/v1/themehunk-import, plus rogue entries under /up and /wp-query-console.

Related Happenings

PushEngage hit by cyberattack

Incident
H score93 First: 15.06.2026 12:59 Last: 15.06.2026 12:59 Sources 1

About this happening: **Awesome Motive**'s **WordPress plugin** delivery paths for **OptinMonster**, **TrustPulse**, and **PushEngage** were hit in a **CDN supply-chain incident** after attackers stole...

Latest development: 15.06.2026 20:37

Awesome Motive remediated the marketing site, migrated it to a new server, and rotated all credentials, including the CDN API key, after attackers exploited a known UpdraftPlus flaw to steal CDN account credentials from a server in its environment and modify JavaScript served from the company's CDN. The company says its application servers, source code, and systems storing OptinMonster and TrustPulse account information were hosted separately and were not breached.

PushEngage, OptinMonster, and TrustPulse CDN script-tampering campaign

Campaign
H score89 First: 15.06.2026 12:59 Last: 15.06.2026 12:59 Sources 1

About this happening: A **multi-plugin supply-chain campaign** targeted **Awesome Motive** WordPress plugins **OptinMonster**, **TrustPulse**, and **PushEngage**, with malicious JavaScript delivered th...

Latest development: 15.06.2026 20:37

Awesome Motive said a server in its environment was compromised after exploitation of a known UpdraftPlus WordPress plugin flaw, allowing attackers to steal the CDN API key for a marketing website and modify JavaScript distributed through the company’s CDN. The company remediated the marketing site, moved it to a new server, and rotated all credentials, including the CDN API key, while stating that its application servers, source code, and account-data systems were not breached.

Everest Forms Pro plugin actively exploited RCE (CVE-2026-3300)

Vulnerability
H score87 First: 04.06.2026 19:15 Last: 04.06.2026 19:15 Sources 1

About this happening: **Everest Forms Pro** has an **actively exploited** critical **remote code execution** flaw, **CVE-2026-3300**, that lets unauthenticated attackers run **PHP** and take over **Wor...

TrapDoor trap-core.js credential-stealing package malware

Malware Activity
H score34 First: 25.05.2026 08:59 Last: 25.05.2026 08:59 Sources 1

About this happening: The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...

Laravel Lang organization hit by network compromise

Incident
H score14 First: 23.05.2026 23:48 Last: 23.05.2026 23:48 Sources 1

About this happening: The **Laravel Lang organization** suffered a **repository compromise** that let attackers rewrite **GitHub tags** and ship malicious code through **Composer** installs. The affect...

Timeline

  1. 24.10.2025 22:28 2 articles · 8mo ago

    Wordfence tracks mass WordPress plugin exploitation

    Campaign Scope Update

    Wordfence reports a widespread exploitation wave against WordPress websites using vulnerable GutenKit and Hunk Companion plugins, with 8.7 million blocked attack attempts against its customers on October 8 and 9, 2025. The activity abuses CVE-2024-9234, CVE-2024-9707, and CVE-2024-11972 to install arbitrary plugins and can lead to remote code execution, while defenders are told to watch for /wp-json/gutenkit/v1/install-active-plugin and /wp-json/hc/v1/themehunk-import requests and rogue entries such as /up and /wp-query-console.

    Show sources