Up to 4 million online merchants who use the popular WooCommerce plugin are vulnerable to a file deletion vulnerability that could allow a rogue shop manager to escalate privileges and execute remote code on impacted websites. The vulnerability allows shop managers to delete certain files on the server and then to take over any administrator account. The exploit requires nothing more than an attacker being in control of an account with the user role “shop manager”” The vulnerability was reported in August and a patch was released in October.”
Source: https://threatpost.com/wordpress-flaw-opens-millions-of-woocommerce-shops-to-takeover/138861/