Two high severity security vulnerabilities found in the PageLayer plugin can let attackers wipe or take over WordPress sites using vulnerable plugin versions. The vulnerabilities were reported to PageLayer’s developer by the Wordfence Threat Intelligence team on April 30 and were patched with the release of version 1.1.2 on May 6. At least 120,000 WordPress sites with active PageLayer installation might be exposed to takeover and wipe attacks in the eventuality that hackers decide to exploit these bugs. The bugs are due to unprotected AJAX actions, nonce disclosure, and a lack of Cross-Site Request Forgery (CSRF) protection.
Source: https://www.bleepingcomputer.com/news/security/200k-sites-with-buggy-wordpress-plugin-exposed-to-wipe-attacks/