The Yellow Pencil Visual Theme Customizer plugin was removed from the WordPress.org repository on Monday. The vulnerability was discovered in the plugin with an install base of more than 30,000 websites. Attackers could potentially change both the site and the home URLs with an unauthenticated SQL injection. Researchers say the vulnerability is part of a larger campaign run by the same threat actor. The plugin’s developers have fixed the vulnerability with the 7.2.0 version of the YellowPencil plugin and are now providing a download link to apply the patch.
Source: https://www.bleepingcomputer.com/news/security/thousands-of-wordpress-sites-exposed-by-yellow-pencil-plugin-flaw/