recent post on the Joomla password stealer, here's another beautiful example of password stealer. This time from WordPress environment.
It's easy to understand, but what's interesting - it looks like legitimate code so you can easily overlook it. It stores its data in "png" files within ./wp-includes/images/
path and sends them to a non-obfuscated email address.
This is the bad part that was injected on the file user.php on wp-admin:
Anyway, keep your eyes open, guys :)