A vulnerability in the defunct OneTone WordPress theme plugin is being exploited to compromise entire sites while installing backdoor admin accounts.