A critical vulnerability in a plugin for WordPress websites allows an unauthenticated attacker to create accounts with administrator privileges. The problem stems from lack of filtering when processing a new user subscription via a form supplied by the plugin. Administrators advised to update the plugin to version 3.4.2.3.6.2. The issue affects all versions of the plugin up to 3.5.2 and 3.7.2 versions. An attacker can submit a submission form and modify the value of “cp_set_user”” and set it to “”administrator”””
Source: https://www.bleepingcomputer.com/news/security/convert-plus-plugin-flaw-lets-attackers-become-a-wordpress-admin/