[OSButler]

The theme directory is a common target for code injection, as it is often set with writeable webserver-user permissions, in order to allow the admin to use the backend theme editor.

Almost all of the compromised accounts I've dealt with over the years were the result of outdated WordPress or plugin installs, where an exploit was used to upload a file to one of the commonly known writeable directories: plugins, uploads, or themes.

Most of those cases could have been prevented if the owner would have kept their installs up to date, which makes these issues so frustrating to deal with.