https://www.bleepingcomputer.com/news/security/wordpress-plugin-bug-can-be-exploited-to-create-rogue-admins/

Owners of WordPress sites who use the Contact Form 7 Datepicker plugin are urged to remove or deactivate it to prevent attackers from creating rogue admins or taking over admin sessions after exploiting an authenticated stored cross-site scripting (XSS) vulnerability.

Contact Form 7 Datepicker is a no longer maintained plugin designed to integrate with and to add a date field to the user interface of the Contact Form 7 WordPress plugin, a contact form management plugin installed on over 5 million websites.