[ad_1]
Hi @pautgn ,
Great question!
We definitely recommend updating and using the latest version, in this case and always.
Without going into too much detail, there was a way for users with permission to install plugins (so usually only admins) to install a plugin from WordPress.org via the Toolkit. If perhaps an admin was tricked into doing something (and it would have to be very targeted and intentional), a plugin from WordPress.org could be installed on the site. Yesterday’s update adds a nonce check to block this scenario. It does only affect users who already have permission to install plugins though and the installed plugin would have to be from WordPress.org.