A critical authentication bypass vulnerability allows anyone to log in as an administrator user on WordPress sites running an affected version of the InfiniteWP Client. The flaw was found in the iwp_mmb_set_request function in the init.php file, a function designed to check if actions attempted by a user are authenticated. The vulnerability was patched by Revmakx, the plugin’s maker, on January 8 with the release of InfiniteWP client 1.9.4.5, one day after researchers at WebARX disclosed the vulnerability.
Source: https://www.bleepingcomputer.com/news/security/critical-wordpress-plugin-bug-allows-admin-logins-without-password/

