Attackers have found a way to escalate the benign WordPress REST API flaw and use it to gain full access to a victim's server by installing a hidden backdoor.