Happened to seven WP sites I maintain. It's a script and someone got into an account. The script finds all .php and .htm files and adds stuff to the top. If you only have wordpress files, it's an easy fix - reset the password and get a different template.
I would still worry a bit. Some hackers will show a broken link if you're accessing a page directly with no referrers, for example. But if you come in with a referrer or from a search engine, then they might return the malware payload.
If a site was showing up recently in our malware list, it's practically certain that an actual user downloaded malware via the site.
