On 23 January, a WordPress plugin installed on over 200,000 websites was found to have a security problem. The flaw allowed anyone to create a request on behalf of an administrator and inject executable code into a vulnerable website. This is a vulnerability involving cross-site request violation (CSRF) and remote code execution (RCE) commands.
This is a very serious security issue that could cause site damage, information disclosure and more. We recommend updating to the latest version (2.14.0) immediately.