If you are using the WP File Manager plugin and have not updated it since August 31st 2020, make sure you update your WP File Manager Plugin ASAP.
On August 25th a vulnerability disclosure was released regarding the WP File Manager plugin which allowed anyone to upload a file to the website running versions 6.4 (release May 25th, 2020).
Version 6.9 was released on September 1st which patched this vulnerability.
There were approximately 350,000 sites running the 6.4 vulnerable version on September 1st, 2020.
If your site is compromised you will find the initial Malware will be located in the /wp-content/uploads directory.
Once the initial Malware is installed the attackers will have complete control over your hosting files and database.
Remember: A Deactivated plugin can still be a huge security risk to your site. If there are file vulnerabilities which in this case allow anyone with access to the site to upload files, your site can be compromised.
Other Resources discussing this vulnerability: