wp-login.php injection silently exfiltrates a victim’s username and password back to the attacker’s server.