Hackers have exploited three zero-days to install backdoors on WordPress sites, according to a security alert published minutes ago by WordPress security firm Wordfence. The zero-days affect three WordPress plugins — Appointments, Flickr Gallery and RegistrationMagic. The plugins' authors released updates to fix the attack vector — a PHP object injection vulnerability that affects all three plugins in the same way.