Find notable cyber news and cases, enriched with sources, timelines, and signals.

GutenKit and Hunk Companion actively exploited unauthenticated plugin-install flaws (multiple vulnerabilities)

Vulnerability
First reported
Last updated
Happening score
H score 56
2 unique sources, 2 articles

Summary

Hide ▲

WordPress sites using GutenKit and Hunk Companion are facing actively exploited plugin-install flaws tracked as CVE-2024-9234, CVE-2024-9707, and CVE-2024-11972. The critical (CVSS 9.8) issues let attackers install arbitrary plugins and can lead to remote code execution (RCE). Wordfence said it blocked 8.7 million attack attempts on October 8 and 9, and researchers tied the activity to a GitHub-hosted malicious plugin archive called 'up'. Defenders are told to watch for specific request paths and rogue directories, and to keep plugins updated.

Related Happenings

ShapedPlugin hit by network compromise

Incident
H score19 First: 18.06.2026 15:55 Last: 18.06.2026 15:55 Sources 1

About this happening: **ShapedPlugin** suffered a **supply-chain compromise** that pushed infected **WordPress plugin** releases to paying customers through the vendor's **official update system**, put...

PushEngage hit by cyberattack

Incident
H score93 First: 15.06.2026 12:59 Last: 15.06.2026 12:59 Sources 1

About this happening: **Awesome Motive**'s **WordPress plugin** delivery paths for **OptinMonster**, **TrustPulse**, and **PushEngage** were hit in a **CDN supply-chain incident** after attackers stole...

Latest development: 15.06.2026 20:37

Awesome Motive remediated the marketing site, migrated it to a new server, and rotated all credentials, including the CDN API key, after attackers exploited a known UpdraftPlus flaw to steal CDN account credentials from a server in its environment and modify JavaScript served from the company's CDN. The company says its application servers, source code, and systems storing OptinMonster and TrustPulse account information were hosted separately and were not breached.

PushEngage, OptinMonster, and TrustPulse CDN script-tampering campaign

Campaign
H score89 First: 15.06.2026 12:59 Last: 15.06.2026 12:59 Sources 1

About this happening: A **multi-plugin supply-chain campaign** targeted **Awesome Motive** WordPress plugins **OptinMonster**, **TrustPulse**, and **PushEngage**, with malicious JavaScript delivered th...

Latest development: 15.06.2026 20:37

Awesome Motive said a server in its environment was compromised after exploitation of a known UpdraftPlus WordPress plugin flaw, allowing attackers to steal the CDN API key for a marketing website and modify JavaScript distributed through the company’s CDN. The company remediated the marketing site, moved it to a new server, and rotated all credentials, including the CDN API key, while stating that its application servers, source code, and account-data systems were not breached.

TrapDoor trap-core.js credential-stealing package malware

Malware Activity
H score34 First: 25.05.2026 08:59 Last: 25.05.2026 08:59 Sources 1

About this happening: The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...

Shai-Hulud worm clone activity on NPM

Malware Activity
H score69 First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Timeline

  1. 27.10.2025 12:15 1 articles · 8mo ago

    GutenKit and Hunk Companion actively exploited unauthenticated plugin-install flaws (multiple vulnerabil

    Initial Disclosure

    Initial disclosure centered on three critical WordPress plugin flaws found through bug bounty work on **September 25** and **October 3, 2024**. The weaknesses allowed unauthenticated plugin installation and activation, creating a direct path to **RCE** before broader exploitation accelerated.

    Show sources
  2. 24.10.2025 22:28 1 articles · 8mo ago

    Wordfence blocks 8.7 million attacks against vulnerable WordPress plugins

    Exploitation Observed

    On October 24, 2025, Wordfence said it blocked 8.7 million attack attempts against WordPress sites using GutenKit and Hunk Companion over October 8 and 9, as a widespread exploitation campaign abused CVE-2024-9234, CVE-2024-9707, and CVE-2024-11972 to install arbitrary plugins and enable RCE. Researchers also tied the campaign to a GitHub-hosted malicious plugin archive called 'up' and advised defenders to watch for /wp-json/gutenkit/v1/install-active-plugin, /wp-json/hc/v1/themehunk-import, /up, /background-image-cropper, /ultra-seo-processor-wp, /oke, and /wp-query-console.

    Show sources