Multiple WordPress plugins have been backdoored to inject malicious code that makes it possible to create rogue administrator accounts with the aim of performing arbitrary actions.
« The injected malware attempts to create a new administrative user account and then sends those details back to the attacker-controlled server, » Wordfence security researcher Chloe Chamberland said in a Monday alert.
