A rogue version of the WordPress plugin called “Display Widget” allowed third-parties to injecting spam advertising content into victims’ sites.

Attackers have been carrying out WPSetup attacks, taking advantage of users who have installed WordPress but not yet configured it.

Sites still vulnerable to a REST API endpoint flaw in WordPress are now being targeted by attackers trying to turn a profit.