Source: Help Net Security
by Zeljka Zorz
In this article “The websites – mostly blogs and small, private pages – use WordPress 3.2.1 and have been uploaded with an HTML page which redirects the users via a hidden iFrame to a page hosting the Phoenix exploit kit.
“The content uploaded by the attacker is not part of the home page and will not show when users browse these websites. In fact, accessing any page on these compromised WordPress sites, other than the uploaded page, will not infect the user’s machine. “explained the researchers.
… Unfortunately, the question of how the WordPress-based sites were compromised in the first place is still unanswered, but it seems likely that the attackers have found a vulnerability to misuse.”