A hugely popular plugin for the WordPress website builder was carrying a high-severity flaw that could have allowed threat actors to take full control of the target website, experts have found.