I purchased a theme on themeforest and after giving the theme’s support staff permission to fix an issue with their theme, the user has now posted over 90 spam posts on the website.
Welcome to the forums! It’s highly unlikely that a staff member of support team would abuse the access to send any spam to your website. I would rather think that someone has took control over the account, or gained unauthorized access to your WordPress. You may want to change all the passwords and check if you are using any outdated or low rated plugins.
I’ve encountered a similar issue after installing a plugin from an unknown source. The result was a bit painful .The solution I found that worked for me flawlessly was to remove all recent plugins I had installed and activated Sucuri Scanner Plugin. It’s a world known and trusted service that allowed me to see the IP’s that were trying to brute force the login, and I was able to block them via my hosting panel. I recommend this action if you see no other solution. It will also give you the IP of your logins and will help you identify where this issue is coming from easier. Cheers!