A stored XSS and arbitrary file-upload bug can be paired with an authorization bypass to wreak havoc.
https://threatpost.com/brizy-wordpress-plugin-exploit-site-takeovers/175463/
BotenaGo, written in Google’s Golang programming language, can exploit more than 30 different vulnerabilities.
https://threatpost.com/routers-iot-open-source-malware/176270/