From my knowledge, the attacker finds a way to access the internal site search function for sites that run site building apps like WordPress.
WordPress's internal search function is explained as follows:
The WordPress internal search is a function that is deeply embedded in the system. Essentially, there is a listing of posts and pages. If WordPress is used as a blog, there is often a list of e.g. 10 most recent blog posts on the home page.
[To see links please register here]
Exploiting this function of a WordPress website is referred to as internal site search spam.
If you want to find out more about this, you are welcome to have a look at a post that is on Yoast.
[To see links please register here]
This is how I interpreted the information I shared with you now:
The website was not hacked, but a built-in function that the website use was exploited.
The built-in function is something that can not be removed or disabled, but the content created by the function can be excluded when indexed.
Content created by the function is not harmful, and does not pose a threat to the site or its users... Unless properly configured.