The Yellow Pencil Visual Theme Customizer plugin was removed on Monday from the WordPress.org repository because of a privilege escalation bug which would have allowed potential attackers to update arbitrary options on vulnerable installations.
A visual-design plugin which allows users to style their websites, Yellow Pencil has an active install base of more than 30,000 websites. However, the plugin was discovered to have two software vulnerabilities which are now under active exploit.
More to the point, after successfully exploiting the vulnerability, malicious actors could potentially change both the site and the home URLs with an unauthenticated SQL injection.
This is exactly what happened for a number of unlucky webmasters which had their WordPress websites hacked because of the vulnerability discovered in the plugin.
As explained by the Wordfence researchers:
We’re again seeing commonalities between these exploit attempts and attacks on recently discovered vulnerabilities in the Social Warfare, Easy WP SMTP and Yuzo Related Posts plugins. Exploits so far are using a malicious script hosted on a domain, hellofromhony[.]com , which resolves to 176.123.9[.]53. That IP address was used in the other attacks mentioned. We are confident that all four attack campaigns are the work of the same threat actor.
So, it is advisable to deactivate the plugin or get the update from the Yellow Pencil plugin company.