In the past four months, Sucuri has seen an increase in the number of plugins affected by the misuse of WordPress’ update_option() function. This function is used to update a named option/value in the options database table. If developers do not implement the permission flow correctly, attackers can gain admin access or inject arbitrary data into any website.
Note: The WordPress update_option() function cannot be used maliciously if the developer correctly implements it in their code.
Source: Scuri check