Amid spiking reports of cyberattacks, WordPress websites are once again in the crosshairs—this time due to a wave of targeted remote code execution (RCE) exploits against outdated plugins. Critical vulnerabilities in widely used plugins like GutenKit, Hunk Companion, WP Ghost, and others have opened the door for unauthenticated attackers to hijack thousands of sites. Despite patches being available, sluggish update adoption has fueled one of the most active exploitation campaigns in recent months.
A global wave of remote code execution attacks is targeting outdated WordPress plugins, including GutenKit, Hunk Companion, and WP Ghost. Despite available patches, sluggish updates have left thousands of sites exposed, fueling millions of exploit attempts across the web.
Mass Exploitation Surges as WordPress Admins Lag on Patches
Thousands of WordPress websites are currently vulnerable to RCE due to unpatched plugins with publicly disclosed flaws. The situation has escalated significantly, with security vendors such as Wordfence reporting millions of attack attempts in short timeframes.
GutenKit and Hunk Companion Lead the RCE Blitz
Wordfence recently identified mass exploitation attempts targeting the GutenKit and Hunk Companion plugins. These two popular plugins contain critical RCE vulnerabilities made possible by inadequate authentication checks and insecure behavior during plugin installation. Specifically:
- CVE-2024-9234 and CVE-2024-9707 affect the GutenKit plugin.
- CVE-2024-11972 affects the Hunk Companion plugin.
- All three vulnerabilities carry a CVSS score of 9.8, reflecting their severity.
The vulnerabilities allow attackers to install and activate arbitrary plugins remotely, with no authentication required. In early October alone, Wordfence blocked a staggering 8.7 million exploit attempts against these two plugins. Despite this activity, adoption of patched versions remains insufficient.
Administrators are strongly urged to update:
- GutenKit to version 2.1.1
- Hunk Companion to version 1.9.0
According to a December 2024 update from Ars Technica, fewer than 12% of Hunk Companion users had installed the fix, leaving at least 9,000 installations exposed. Making matters worse, attackers often chain this vulnerability with exploitation of an older plugin, WP Query Console. That plugin itself contains a known RCE flaw (CVE-2024-50498), which amplifies the risk of full compromise.
Over 200,000 Sites at Risk via WP Ghost RCE Vulnerability
A separate vulnerability targeting the WP Ghost plugin (CVE-2025-26909) has added to the urgency for WordPress administrators. According to Cyber Security News and BleepingComputer reporting, this plugin is installed on over 200,000 websites.
The flaw exists in the ‘showFile()’ function. Due to insufficient input validation, attackers can exploit a local file inclusion (LFI) vector that ultimately enables arbitrary code execution. A patch has been released in version 5.4.02, and administrators running affected versions are advised to update immediately to prevent potential takeovers.
Lesser-Known Plugins Also Pose Serious Risks
While GutenKit, Hunk Companion, and WP Ghost dominate attack telemetry, several other plugins have disclosed high-severity RCE vulnerabilities recently. Among them:
- Backup Migration Plugin
* Vulnerability: CVE-2023-6553 * Affected versions: <1.3.8 * Exploitable via `/includes/backup-heart.php` endpoint * Installed on over 90,000 sites
- Widget Logic Plugin
* Affected versions: ≤6.0.5 * Allows attackers to execute commands remotely * Mitigation: Update to version 6.0.6
- WP Fusion Lite Plugin
* Affected versions: ≤3.41.24 * Remote code execution via arbitrary function execution * Patch available in version 3.42.10
- WP EXtra Plugin
* Affected versions: ≤6.2 * Vulnerable due to arbitrary `.htaccess` modifications * Resolved in version 6.3
- PHP Everywhere Plugin
* Vulnerabilities: CVE-2022-24663, CVE-2022-24664, CVE-2022-24665 * Affecting users with roles as low as subscriber or contributor * Patched in version 3.0.0
Each of these exploits enables full command execution and, in turn, control of the underlying site infrastructure if successfully executed. While some are older, the existence of active campaigns shows that outdated plugins continue to present viable attack surfaces.
Inconsistent Patch Adoption Undermines Site Security
Despite the availability of patches for all reported vulnerabilities, many WordPress site administrators remain slow to respond. In the case of the Hunk Companion plugin alone, a majority of users have yet to apply the critical update nearly two months after its release.
This delay not only puts individual sites at risk but also contributes to broader exploitation campaigns, as attackers scan the internet for vulnerable targets in bulk. Attackers often automate these scans to mass deploy payloads and maintain persistent access through installed backdoors.
“Failure to patch a single plugin can expose an entire site to full remote takeover,” noted one security analyst. “The cumulative effect is that thousands of websites collectively sustain a distributed threat environment ideal for botnet building or ransomware staging.”
Immediate Actions for WordPress Administrators
With the current volume of targeted RCE attacks, time is of the essence for mitigating risk. Administrators of WordPress websites should:
- Inventory all installed plugins and identify versions impacted by disclosed vulnerabilities.
- Apply security updates immediately , prioritizing high-risk plugins like GutenKit, Hunk Companion, and WP Ghost.
- Audit site access logs for unusual behavior, such as unauthorized plugin installations or failed login attempts.
- Implement a Web Application Firewall (WAF) to help block known exploit payloads.
- Disable and remove plugins that are out of date, unsupported, or unnecessary.
Conclusion: Proactive Maintenance is Crucial Amid Rising WordPress Exploits
The current wave of WordPress RCE attacks underscores the persistent risk posed by outdated and vulnerable plugins. With exploits circulating for both widely used and niche plugins, the burden falls squarely on administrators to maintain timely patching, reduce plugin sprawl, and monitor exposure.
As long as attackers find success exploiting old versions of popular WordPress plugins like WP Ghost, GutenKit, and Hunk Companion, campaigns will persist—escalating the risk of website defacements, malware injections, and data breaches across the web.
