A WordPress plugin with over 100,000 active installations had a bug that could have allowed unauthorised attackers to wipe its users' blogs clean, it emerged this week.