Vulnerability in widely-used WordPress plugin could allow full site takeover