Critical Cross-Site Scripting (XSS) vulnerabilities have been found on a number of sites running the WordPress engine, which allow threat actors to inject JavaScript code into web pages and create admin user accounts. The problem stems from the Frontend File Manager plugin, which contains the bugs.

Experts reported a total of six vulnerabilities impacting plugin versions 17.1 and 18.2. Researchers estimate that the vulnerable Frontend File Manager is installed on more than 2,000 web-resources.

If administrators don't install the released patches, attackers will be able to execute malicious code remotely. If successfully exploited, criminals would be able to delete or change posts, carry out XSS attacks, and elevate privileges.

All administrators using Frontend File Manager are advised to install plugin version 18.3, which was released on June 26th or above.

Source: anti-malware.ru