Yellow Pencil Visual Theme Customizer plugin is being exploited in the wild after two software vulnerabilities were discovered. The attacker exploiting these flaws has been behind several other recent plugin attacks, researchers said. The vulnerability exists in a privilege-escalation vulnerability that exists in its yellow-pencil.php file. The second flaw is a cross-site request forgery (CSRF) check that is missing in the function below that would have made it much more difficult to exploit, they said. Users are urged to update to the latest version of the plugin, 7.2.0.
Source: https://threatpost.com/wordpress-yellow-pencil-plugin-exploited/143729/