If you use the PublishPress Capabilities plugin, please update to the latest version which is currently 2.3.1.
A week ago, the WPScan team notified us about a security issue in earlier versions of PublishPress Capabilities. That issue is fixed in 2.3.1, so please update your sites.
The WordPress.org plugin team have been very helpful. They are rolling out auto-updates for this security fix, so everyone who uses the version of PublishPress Capabilities from WordPress.org should be covered ASAP. If you use PublishPress Capabilities Pro, please update your site manually.
The most common sign of this issue is new users being created. This Wordfence post has details on how the issue is being exploited.
We apologize for this issue. You trust us with your sites. We need to do better and review our policies to avoid this happening in future releases.
If you have any questions about this issue, you're welcome to send an email to [email protected].
If you ever discover a vulnerability in a PublishPress plugin, we always appreciate hearing from you. Please follow these steps to contact us.