security issue

A few weeks ago we had stange files in the upload folder. They’re was unexpected php script files sending emails to whatever recipient received as a parameter. No need to go into details, we sanitized everything (well 2 years without an update, shame on us).
Clean install, periodic core and plugins update, unexpected php scripts come back here and there.
I noticed that this plugin didn’t have any update in the process (well that’s written as an alert on the plugin homepage).
So, I’m thinking maybe that’s the one used as a script injecting vector, without having a clear proof of that.
Though, It hink it might be good to warn someone in order to : do a security cheking, level up the alert level etc.
I’d be glad to provide more information in the limits of my skills.
Cheers.

https://wordpress.org/plugins/zdmultilang/