Which PHP function allows injecting malicious php files?

which php function can allow malicious .php scripts injections onto the hosting account. I mean there is an wordpress with an outdated

plugin which has an hole in it. Abusers scan the servers to find these bugs, they find it and result is that i see various php scripts

injected in various folders (includingroot folder - public_html) of the wordpress installation…

that hosting account password is unguessable, not saved anywhere

There are many ways malicious files can be put onto a web server by vulnerable code. If you can tell us which WordPress plugin had this problem, then I’m sure someone here will be able to give you a specific answer to your question.