According to security firm WordFence, the content injection flaw in WordPress recently disclosed has already been exploited to deface over 1.5M websites.