WordPress Plugin Comes With a Backdoor, Steals Admin Credentials In Cleartext
This backdoor also allows him to download files which add his own admin account to the site, and even alter core WordPress files so every time a user logs in, edits his profile, or a new user account is created, the user’s password is collected (in cleartext) and sent to his server.
This sucks and I feel sorry for anyone who has fallen victim to this. That said, it’s a pretty good reminder for people to run regular audits on all their installed plugins. Note, the plugin has now been removed from the plugin directory.