WordFence is spreading the word about three different plugins with security vulnerabilities they've found exploited in the wild.
- WooCommerce Store Toolkit (not publicly available, patched, but will need updating)
- WordPress User Meta Manager (on .org, blind SQL injection vulnerability)
- WP User Frontend (on .org, unrestricted file upload vulnerability)
Update these plugins if you haven't already.