According to WordPress manual, using 'wp_ajax_nopriv_(action) ' handles users that are not logged in. Meaning, attackers are free on modifying the victims' database code without even being logged in.
Here are the options that can be modified:
- 'td_category'
- 'td_option'
- 'wp_option'
- 'td_homepage'
- 'td_page_option'
- 'td_widget'
- 'td_author'
- 'wp_theme_mod'
- 'wp_theme_menu_spot'
- 'td_translate'
- 'td_ads'
- 'td_social_networks'
- 'td_fonts_user_insert'
- 'td_fonts'
- 'td_block_styles'
For this infection, the attacker adds the code in 'td_ads' which is equivalent to Header Ad of the theme.
Unfortunately, it can't be detected inside access logs because attacker uses POST request to /wp-admin/admin-ajax.php which can normally be seen inside the logs.