On February 2, 2021, the WordFence Threat Intelligence team discovered a vulnerability in External Media, a WordPress plugin used by over 8,000 sites, and reported it to the developer. This flaw made it possible for authenticated users, such as subscribers, to upload arbitrary files on any site running the plugin. This vulnerability could be used to achieve remote code execution and take over a WordPress site.
After several minor patches and follow-ups with the developer, a fully patched version was released as version 1.0.34.
This is considered a critical vulnerability. Therefore, we highly recommend updating to the latest patched version available, 1.0.34, immediately.
All of our client sites have of course been updated.