A serious vulnerability in the WordPress plugin, MailPoet, could essentially allows an attacker to inject any file including malware, defacements and spam, whatever they wanted on the server. Within three weeks since the vulnerability unveiled, over 50,000 websites have been remotely exploited by the cybercriminals to install backdoors targeting the vulnerable MailPet plugin. The malware code had some bugs: it was breaking many websites, overwriting good files and appending various statements in loops at the end of files. The security firm first reported about the vulnerability on the beginning of this month.
Source: https://thehackernews.com/2014/07/hacking-wordpress-plugin-vulnerability.html