Three WordPress plugin vulnerabilities are currently being exploited, allowing hackers to inject malicious scripts and backdoors into websites. These vulnerabilities allow attackers to create new WordPress administrator accounts, inject backdoors into files, and monitor infected targets using tracking scripts. One of the bugs, CVE-2024-2194, allows attackers to inject scripts via the URL search parameter which are then executed whenever an injected page is accessed. Another bug, CVE-2023-6961, is used by attackers to inject a payload into pages generating a 404 response, using the payload to steal the users credentials. 

Read more: https://www.securityweek.com/critical-wordpress-plugin-flaws-exploited-to-inject-malicious-scripts-and-backdoors/