Two WordPress plugins, InfiniteWP Client and WP Time Capsule, suffer from the same critical authorization bypass bug that allows adversaries to access a site s backend with no password. Researchers from WebArx created proof-of-concept attacks to exploit the vulnerability. According to the plugin library, 300,000 websites are running a version of the vulnerable InfiniteWP client plugin. The vulnerabilities were first reported on Jan. 7, 2020, and the next day the developers released new versions of the plugins.
Source: https://threatpost.com/wordpress-bug-leaves-sites-open-to-attack/151911/