The number one cause. A plugin with a known vulnerability (e.g., an old version of Elementor , RevSlider , or Contact Form 7 ) allows an attacker to upload a file directly to your root directory.
Under the Hood of a "Hacked Wizard Page": Defending the Modern Multi-Step Form hacked wizard page
To truly understand the threat, one must look at the technical details behind these hacks. The "wizard page" metaphor often hides a series of well-understood, but devastating, vulnerabilities. The number one cause
: Hackers often rush their work. If the wizard looks "off" or has broken images, proceed with caution. The Clean-Up: Banishing the Malware an old version of Elementor