The Real-Time Find and Replace plugin allows users to temporarily replace text and code content on their sites in real-time without having to go into the sites’ source code. The vulnerability is a Cross-Site Request Forgery (CSRF) that leads to Stored Cross-site Scripting (Stored XSS) attacks. It can be abused to trick WordPress admins into injecting malicious JavaScript into their own websites’ pages after clicking a malicious link. The malicious code could then be used to inject a new administrative user account, steal session cookies, or redirect users to a malicious site.
Source: https://www.bleepingcomputer.com/news/security/wordpress-plugin-bug-lets-hackers-create-rogue-admin-accounts/