A widespread exploitation campaign is targeting WordPress websites with GutenKit and Hunk Companion plugins vulnerable to critical-severity, old security issues that can be used to achieve remote code execution (RCE).

WordPress security firm Wordfence says that it blocked 8.7 million attack attempts against its customers in just two days, October 8 and 9.

The campaign expoits three flaws, tracked as CVE-2024–9234, CVE-2024–9707, and CVE-2024–11972, all rated critical (CVSS 9.8).