Plugins are the most common form of WordPress hacking. In February, WordPress officials found a security vulnerability in the Simple Contact Info plugin. The security vulnerability in the plugin, that had not been updated in three years, allowed the logged-in user to delete any file on the website.
Over 6,000 websites are deemed vulnerable.
Read more here: https://blog.threatpress.com/plugins-closed-endangers-websites/