Sucuri uncovered details about a massive WordPress infection campaign, Balada Injector, that is active since 2017. The attackers are known to leverage all known and recently discovered theme and plugin vulnerabilities. The campaign has infected over one million WordPress websites over a duration of around five years.