There are two clues that your WordPress site has been attacked.
There are strange additions to the pretty permalinks, such as
example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are â€œevalâ€ and â€œbase64_decode.â€
The second clue is that a â€œback doorâ€ was created by a â€œhiddenâ€ Administrator. Check your site users for â€œAdministrator (2)â€ or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution.
So what are you waiting for act now and upgrade. But be sure to back your files.