My site was briefly hijacked by a cross-scripting exploit this morning. The attackers uploaded a plugin called “plugin” which contained the file plugin.php. That file did the redirecting.
My question: does the attacker have an admin login, or is there a backdoor to installing a plugin? What would the vector be? I find nothing in the logs that indicates any of these activities.
Thanks for your help!