A rogue version of the WordPress plugin called “Display Widget” allowed third-parties to injecting spam advertising content into victims’ sites.

Attackers have been carrying out WPSetup attacks, taking advantage of users who have installed WordPress but not yet configured it.

WordPress security experts said that 1.5M sites have been defaced following the disclosure of a silently fixed content injection vulnerability.