Once the threat actors gain access, they use WordPress custom HTML widgets or, more commonly, install the legitimate Simple Custom CSS and JS plugin to inject the malicious JavaScript code.