Not really a stretch for black hats: attacking a WordPress site
already known well publicized to be poorly maintained by its owners in order to distribute malware to Windows machines. What will they think of next? Sending email to victims in hopes that they will install the payloads themselves? Come on, bad guys! At last act like you're putting some effort into it.