A critical vulnerability in a WordPress plugin used on over one million websites has been patched, after evidence emerged that malicious hackers were actively exploited in the wild.

Wordpress being able to force push code updates looks a lot like a botnet to me. And I’m not talking about compromised instances. What could go wrong?