At the end of January 2017, WordPress released version 4.7.2 to fix multiple security vulnerabilities. Not long after that, active exploits against these vulnerabilities were detected. Attackers left messages like “by NG689Skw” or “by w4l3XzY3” on the victims’ websites. Here’s a screenshot:
You can see that the attacker became “ADMIN” of the WordPress site, and that remote code execution is possible if the WordPress site has plugins like InsertPHP.
Qualys identifies these vulnerabilities with QID 11758 : WordPress Prior to 4.7.2 Multiple Security Vulnerabilities and recommends customer patch their systems with highest priority.