A critical vulnerability in a WordPress plugin known as ThemeREX Addons could open the door for remote code execution in tens of thousands of websites. The bug has been actively exploited in the wild as a zero-day, according to Wordfence. The plugin is installed on approximately 44,000 sites and is used to apply various skins that govern the look and feel of web destinations. ThemeREX has now addressed the issue by removing the affected plugin from the plugin.
Source: https://threatpost.com/themerex-wordpress-plugin-remote-code-execution/153592/