The official Wordfence blog has posted the following WordPress security alert:
(in part) The Yuzo Related Posts plugin was removed from the WordPress.org plugin directory as of March 30, 2019. after the discovery of an unpatched vulnerability was publicly disclosed by a security researcher. The vulnerability, which allows stored cross-site scripting (XSS), is now being exploited in the wild.
The WordFence post gives details on the vulnerability, the attack campaign that is currently exploiting it and how to protect your site.