A critical remote code execution vulnerability affects all previous versions of WordPress content management software released in the past 6 years. Remote code execution attack, discovered and reported to the WordPress security team late last year, can be exploited by a low privileged attacker with at least an “author” account. The attack can be executed within seconds to gain complete control over a vulnerable WordPress blog. The next release of WordPress will include a fix to completely address the issue demonstrated by the researcher. The vulnerability is still unpatched even in the latest WordPress version.
Source: https://thehackernews.com/2019/02/wordpress-remote-code-execution.html

