This critical WordPress vulnerability, known as CVE-2019-9787, allows an attacker to gain remote code execution on any WordPress installation prior to version 5.1.1 by tricking an administrator into visiting a malicious website. The exploit chain involves a cross-site request forgery (CSRF) vulnerability in the comment form, which is not properly sanitized, allowing attackers to inject additional HTML tags and attributes that lead to stored XSS vulnerabilities. Once the XSS payload is executed, the attacker can gain arbitrary PHP code execution on the remote server by exploiting a PHP backdoor inserted into the theme or plugin files. The vulnerability exists in WordPress versions prior to 5.1.1 and can be exploited with default settings. It's essential for WordPress administrators to update to version 5.1.1 immediately, disable comments until the security patch is installed, and logout of their administrator session before visiting other websites.