A critical vulnerability in the WP Product Review Lite plugin can be remotely exploited by unauthenticated attackers. Attackers can bypass the WordPress user input data sanitization function to launch Stored Cross-Site Scripting (Stored XSS) attacks which, on successful exploitation, allows them to inject malicious scripts in all the products stored in the targeted site s database. The vulnerability was fixed in version 3.7.6 released on May 14, one day after Sucuri Labs reported it. Over 33,000 sites running vulnerable versions of the plugin still being exposed to attacks.
Source: https://www.bleepingcomputer.com/news/security/critical-wordpress-plugin-bug-allows-for-automated-takeovers/