I have resolved it eventually.
I suspect this was an injection attack on the system by a bot that managed to create a user account for itself.
One lesson learned is to govern user creation more strictly.
But it’s still not fully clear what/how the intruder acted,
so if somebody has a clue, share in the comments please…
This is what I conlcluded and mitigated:
In the AND wp_posts.post_author NOT IN (), the () was receiving it’s value from:
function customFiltersSettings() {
$settings = get_option('wp_custom_filters');
if (!$settings) {
return null;
}
return unserialize(base64_decode($settings));
}
I looked up the database’s wp_options table to see what the wp_custom_filters entry contains,
and it contained ‘YTowOnt9’ a.k.a a:0:{} translated from base64.
This way the !$settings protection could not replace the empty array with a suitable null,
because at the time of checking it was a real value in base64.
So simply deleting the content of wp_custom_filters entry in the wp_options table of the database, resolved the error.
Theme/Plugin/WPDevelopers need to check, but I think this might be a live vulnerability in i-excel and also in twentytwenty theme I think. (maybe even more).
I would suggest a correction that would expand the if !$settings part with some extra code that also validates the decoded value of unserialize(base64_decode($settings) …
What I don’t know among many things yet is what wp_custom_filters originates from, and how can somebody from the UI modify it’s content?! (eg. where was the intrusion point, AND where can I use this option for something actually useful.