Most of the WordPress sites that have been compromised are the result of attackers exploiting vulnerable versions of the plugins used. A stored cross-site script vulnerability was discovered last week in the popular WordPress Live Chat Support plugin. The vulnerability allows an unauthenticated attacker to update the plugin settings by calling an unprotected “admin_init hook” and injecting malicious JavaScript code everywhere on the site. The patched version for this vulnerability was released on May 16, 2019, and has been fixed for version 8.0.27 and higher.”]

Source: https://www.zscaler.com/blogs/security-research/malicious-javascript-injected-wordpress-sites-using-latest-plugin-vulnerability