Recently I had a case where my client reported me about suspicious links on his corporate website which was built using WordPress. Immediately I was thinking that site got hacked and I was preparing myself for gruesome backup tasks.
Luckily this attack was easy, although very clever. It just changed header file and included another file which was masqueraded as part of WordPress and it was placed into wp-includes directory. File name was class-ajax.php, which is very similar to another files in this directory.