Unencrypted cookies leave WordPress accounts exposed to hijacking on insecure networks, even if the two-factor authentication is enabled. A hacker who share same Wi-Fi connection of victims exploiting the vulnerability could lock out the legitimate user of the account. The vulnerability allows users to be authenticated to the Dashboard section of the WordPress platform which gives to the logged account administrative privileged status. WordPress administrators must be aware that it is quite easy for hackers to hijack their web site if they login from the same WI-Fi.”]
Source: https://securityaffairs.co/wordpress/25261/hacking/serious-wordpress-issue.html