CRITICAL - Warwick CSIIRT has been notified that a vulnerability in the ValvePress Automatic plugin for WordPress could allow a threat actor to perform SQL injection (SQLi). In the attacks observed so far, the vulnerability is used to run unauthorised database queries and create new admin accounts on susceptible WordPress sites, which could then be leveraged for follow-on post-exploitation actions.