From blog.sucuri.net
Our team recently stumbled across an interesting example of malicious code used to add an arbitrary user inside WordPress.
The following code was detected at the bottom of the theme’s functions.php. It uses internal WordPress functions like wp_create_user() and add_role() to create a new user and elevate its role to “administrator:”