https://www.bleepingcomputer.com/news/security/thousands-of-wordpress-sites-exposed-by-yellow-pencil-plugin-flaw/

The Yellow Pencil Visual Theme Customizer plugin was removed on Monday from the WordPress.org repository because of a privilege escalation bug which would have allowed potential attackers to update arbitrary options on vulnerable installations.

More to the point, after successfully exploiting the vulnerability, malicious actors could potentially change both the site and the home URLs with an unauthenticated SQL injection.