Unauthenticated Arbitrary Options Update leading to full website compromise discovered by mirphak aka John Castro (Pagely) in WordPress Image Hover Effects Ultimate plugin (versions <= 9.6.1).
Update the WordPress Image Hover Effects Ultimate plugin to the latest available version (at least 9.6.2)