There is an easily exploitable remote code execution vulnerability in a popular WordPress plugin that helps manage file downloads. Researchers at Sucuri discovered the vulnerability and a fixed version of the plugin was released earlier this week. The vulnerability is in the WP Download Manager, versions 2.7.4 and lower, and it could be used to implant a backdoor on a vulnerable site or get access to admin accounts. The bug in the plugin is caused by an Ajax function that didn t enforce permission checks.
Source: https://threatpost.com/critical-remote-code-execution-flaw-found-in-wordpress-plugin/109720/