The WordFence team found this set of vulnerabilities in mid August and initially reached out to the plugin’s team on August 17, 2020, providing full disclosure details on August 18, 2020. The plugin’s team quickly released an initial patch on August 19, 2020 to resolve the most severe problem, and they released an additional patch on September 8, 2020 to resolve the remaining issues.
This is considered a critical security issue that could lead to remote code execution on a vulnerable site’s server. If you haven’t already updated, we highly recommend updating to the fully patched version, 4.2.153, immediately.
No clients of ProtectYourWP.com are affected by this vulnerability.