It’s even happened here with an unpatched version of WP GDPR compliance plugin. Vulnerable up to and including v1.4.2.
Thankfully following instructions with Wordfence standard saved the day. All is well and nothing lost – except a couple of hours time.
So I do recommend the Wordfence plugin
No help from Namseco the host ISP I must add.