A critical vulnerability in popular WordPress plugin Simple Social Buttons enables non-admin users to modify WordPress installation options. The flaw allows privilege escalation, so that non-admins can take over administrator accounts or even whole websites. The vulnerability, rated 9.1 on the CVSS v3 severity scale, was discovered on Feb. 7, and a patch was released Feb. 8. Users of the plugin are urged to update to version 2.0.22.0. The plugin has more than 40,000 active installations, according to WordPress plugin repository.
Source: https://threatpost.com/wordpress-plugin-flaw-website-takeover/141746/