contrary to what is said here:
https://www.wordfence.com/blog/2020/03/vulnerabilities-patched-in-popup-builder-plugin-affecting-over-100000-sites/
the version 3.64.1 does not resolve the issue
I had the header.php infected, with a clean wordpress, theme and plugin
I had to delete the plugin to prevent a redirection to step.xxxx.com/r.php?id=
nothing in the database
see also:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10195
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10196