Recently (wordpress is up-to-date) we experienced an exploit in our WordPress installation. Someone was able to successfully upload a spoofed bank site template to the upgrade directory (mentioned content: /wp-content/upgrade/wellsfargo/"). They somehow then were able to copy that directory to the root folder on the server (below the public_html folder).
Although we are unsure exactly how they accomplished this, the matter is..they were able to.
I have searched but have not been able to duplicate this problem elsewhere in existence (no one else has been posting about it that I have been able to find).
Something to consider.