Wordfence published the details of security vulnerabilities in two WordPress plugins discovered by their Threat Intelligence team.
The first is an OS command injection vulnerability in the WP Database Backup plugin. This popular plugin has over 70,000 active users according to WordPress. If exploited, the flaw could lead to full site takeover by attackers. The developers published an updated patch on April 30th.
The second is a privilege escalation vulnerability in the Slick Popup plugin, currently active on 7,000 websites. The flaw allows attackers with Subscriber-level access to create Administrator-level accounts, effectively taking over the site. Wordfence contacted the developers with the details on April 22nd and a fix has not yet been released so it would be advised to discontinue use of this plugin until a patch has been released.