Remote code execution and admin account creation
https://www.bleepingcomputer.com/news/security/zero-day-in-wordpress-plugin-exploited-to-create-admin-accounts/
A zero-day vulnerability in the ThemeREX Addons, a WordPress plugin installed on thousands of sites, is actively exploited by attackers to create user accounts with admin permissions and potentially fully taking over the vulnerable website.
Based on the estimations of WordPress site security firm Wordfence, the company that reported the ongoing attacks targeting the ThemeREX Addons zero-day bug, the plugin is currently installed on at least 44,000 websites.