A new WordPress flaw is believed to have exposed over 4 million WordPress sites to takeover. The sites had a critical Really Simple Security plugin vulnerability. The vulnerability provides an attacker with full administrative access to user accounts. It is an authentication bypass, allowing an attacker to log in as any user. The vulnerability is triggered if two-factor authentication is enabled. Really Simple Security has since released patches for the bug, which were automatically pushed out to all users by the WordPress site. Users of the plugin should still check and verify that they are using the patched version. 

Read more: https://www.securityweek.com/critical-plugin-flaw-exposed-4-million-wordpress-websites-to-takeover/