Critical WordPress plugin vulnerability allowed wiping databases