Security News > 2020 > April > Flaw in defunct WordPress plugin exploited to create backdoor
A vulnerability discovered last year in the defunct OneTone WordPress theme plugin is now being exploited by hackers to compromise entire sites while installing backdoor admin accounts.
If successful, hijacking this session in turn allows them to create a backdoor admin account as well as set up additional PHP backdoors through the WordPress dashboard for added persistence.
Because the plugin seems to have stopped being updated in early 2018, and the company behind it hasn't replied to Sucuri's contacts, it seems reasonable to assume it will never be patched beyond its current version 1.1.1.
The issue of vulnerable plugins is now a perennial issue for WordPress sites which is why the platform's maintainers recently started testing a tool to manage this process automatically.
If the OneTone plugin is installed on your site, the best advice is simply to uninstall it as soon as you can.