An issue in Jpress v.5.1.0 allows a remote attacker to execute arbitrary code via a crafted script to the custom plug-in module function.
https://www.wolai.com/catr00t/2LujDzjjcrAjUYpWtcusXD
https://gist.github.com/rootlili/a6b6c89591f4773857ae81b7ca5898bc