Hackers exploit zero-day in WordPress plugin to create rogue admin accounts