I have had an infection as well where the newsletter plugin was also installed. It compares to what is described here: http://somewebgeek.com/2014/wordpress-remote-code-execution-base64_decode/ (attributed to the WP mailpoet plugin)
I do not have mailpoet installed, maybe somebody can confirm infection without mailpoet being installed.