A new flaw was discovered in a WordPress plugin, this time experts found a zero-day vulnerability in the ThemeREX Addons to create admin accounts. The vulnerability resides in a REST-API endpoint registered by the plugin which allows any PHP function to be executed without administrative permissions. A remote attacker could exploit the flaw to execute arbitrary code on WordPress installs running the flawed plugin. A patch has yet to be released, for this reason, experts suggest removing the plugin if sites are running version 1.6.50 and later.”]
Source: https://securityaffairs.co/wordpress/98149/hacking/themerex-plugin-zero-day.html