Vulnerabilities in Responsive Menu WordPress plugin exposed over 100,000 sites to takeover attacks. Wordfence Threat Intelligence team found three vulnerabilities that can be exploited by attackers with basic user permissions to upload arbitrary files and remotely execute arbitrary code. Users advised to immediately update to version 4.0.4 that addresses the bugs to prevent exploitation attempts. The company behind the plugin, ExpressTech, patched the security issues on January 19, 2021, following multiple contact attempts between December 17 and January 4.
Source: https://www.bleepingcomputer.com/news/security/buggy-wordpress-plugin-exposes-100k-sites-to-takeover-attacks/