Hackers are attempting to take over tens of thousands of WordPress sites by exploiting critical vulnerabilities including a zero-day in multiple plugins that allow them to create rogue administrator accounts and to plant backdoors. The attacks on WordPress sites have started yesterday by targeting a zero day unauthenticated stored XSS bug found in the Flexible Checkout Fields for WooCommerce plugin with 20,000 active installations. The developers behind the Async JavaScript and 10Web Map Builder for Google Maps have already released patches for the two bugs actively exploited in the wild.
Source: https://www.bleepingcomputer.com/news/security/critical-bugs-in-wordpress-plugins-let-hackers-take-over-sites/