Malware known as wp-vcd is targeting WordPress sites leveraging flaws in outdated plugins and themes. Malware was first spotted in July by the Italian security expert Manuel DOrso who noticed that the malicious code was loaded via an include call for the wp vcd.php file and injected malicious code into WordPress core files such as functions.php and class.php. The malware creates a new admin user with the intent to establish a backdoor into the target installation and gain full control of infected websites.”]
Source: https://securityaffairs.co/wordpress/65800/malware/wordpress-wp-vcd-malware.html