Finding the source of the problem:

WP upgrades overwrite all folders except wp-content, so it is likely the exploit is via this folder. Look for it in the plugins folder, a place you would seldom go once you have the plugin of choice set and running.

1. Visit your site via FTP, this is the simplest way to make changes to file on your server.
2. Look for file permission of each of the plugins folder/file name.

   

3. The one that has a read-write-execute permission set for World/Group is most likely the corrupt file.
4. The way to determine the permission is by looking at the permission section of the file detail (should have something like drwrx-xr-x) or by right clicking the folder and selecting properties. Normally you should set the permission to 755 or lower. See image below:
5. Open the folder with the incorrect file permission, usually the corrupt file will be set to permission 777.

   

6. Look for suspect files within the folder, usually the suspect file will have two dots (.) in the file name and will contain gibberish within when opened. It is safe to open this file to inspect. It will look like the image (click to enlarge).

   

7. Delete this file.
8. Reset permission of the folder, to do, simply right click the folder and select properties, then change the permission to 755 or less.

   

9. The changed folder permission should look like this (CHMOD folder to 755):

   

10. Look for all such exploits in all plugin folders and repeat the step to remove and change folder permission.
11. Once done, change both FTP and WP password.

These testes above would get the file that is actually causing the problem to be removed. But the problem also resides in the database. The way to identify the issue is by following Chris’s method as he tweeted last evening as described in a little more detail next.