Spam injection below </html> tag

https://www.ads-software.com/support/topic/268083#post-1065779

Up-grading may only be a band-aid. Rarely does an upgrade alone remediate a compromise. There is no quick specific answer to your question, due to the scope of possibilities for point of entry, (a substantial number of those methods are not directly related to wordpress) however..

I have several blogs on the same host that now have hundreds of lines of URLs

That could suggest a server security issue or maybe an ftp compromise. First advise and consult with your hosting service. They may already have an answer for you as to “how” it may have happened. Once that proves non-productive, then start here and refine your search. Gather all the information you can about how it can possibly happen, then start the process of investigation and elimination. Server logs are usually a pretty helpful resource.

https://www.ads-software.com/search/hacked?forums=1

https://www.google.com/#hl=en&q=wordpress+hacked+injection&aq=f&aqi=&fp=82e34627c46f57f4

https://codex.www.ads-software.com/Hardening_WordPress

Good luck to you.