Hackers can take over WordPress websites running Slick Popup plugin by enabling a backdoor administrator account with hardcoded credentials. The vulnerability is active at the moment and affects all versions of the plugin up to 1.7.1 – which is currently the latest release. The developer has not come up with a fix for the vulnerability a month after acknowledging it. Deactivating or deleting the plugin are two recommendations to ensure that a website running it remains safe. The plugin is designed to customize how and where the Contact Form 7 plugin is displayed on webpages.
Source: https://www.bleepingcomputer.com/news/security/wordpress-slick-popup-plugin-contains-vulnerable-support-backdoor/