I am having the exact same issue with a website I manage. Based on Sucuri logs, the WordPress login & password appear compromised. I’ve removed that user completely. Changed all passwords to WordPress, database, and hosting. I’ll know tonight if there’s still an issue.
The plugin itself had also been modified. I opened the file on the server and found the first few lines had been edited to something crazy. While activated, the plugin would force sexually explicit popups when normal links were clicked. Unfortunately, I removed it and didn’t save a copy.
Username changed for privacy. This is the log.
08:09
XXXX2019 Plugin activated: Page Builder Gutenberg Blocks – CoBlocks (v2.11.2; Builder/Builder.php)
IP: 192.0.87.146
08:09
XXXX2019 Post deleted: (multiple entries):
Post id: 2254
IP: 192.0.118.207
08:09
XXXX2019 Media file added; ID: 2254; name: Plugin; type: application/zip
IP: 192.0.118.207`
