Wordfence team reported a Privilege Escalation via Account Takeover vulnerability in WCFM β WooCommerce Frontend Manager, a WordPress plugin with more than 20k installations. Some of those sites are also our clients using our Auction, Group Buy and Lottery plugins so we urge them (and all other using the plugin) to update WCFM to the latest version.
This vulnerability makes it possible for an authenticated attacker to change the email of any user, including an administrator, which allows them to reset the password and take over the account and website. Full article is here and tech details are here.