FYI, we have identified a similar variant of this exploit.
In our case, to remove the exploit, we need to clean up the ‘wp_options’ table in the WordPress database. We have documented the details at:
https://linux.byexamples.com/archives/397/wordpress-exploit-we-been-hit-by-hidden-spam-link-injection
