Vulnerability discovered by Polish security researcher Dawid Golunski of Legal Hackers. The vulnerability (CVE-2017-8295) affects all versions of WordPress including the latest 4.7.4 version. Attack could be carried out both with user interaction (the user hitting the’reply’ button scenario), or without user interaction. The flaw was discovered by the same researcher who discovered a critical vulnerability in the popular open source PHPMailer libraries that allowed malicious actors to remotely execute arbitrary code in the context of the web server.
Source: https://thehackernews.com/2017/05/hacking-wordpress-blog-admin.html