Wordfence has recently done some pretty awesome investigation into some bad actors in the wordpress plugin arena. Bottom line of all this: watch out for plugins that aren’t updated, especially if they are pulled from the wordpress repository. As the author suggests, things are only going to get worse, and since wordpress now powers the majority of web sites, there is a huge payoff for miscreants who would hijack our sites. Spire Express uses the wordfence plugin on several of its sites presently. It’s a great plugin that does periodic scans, warning the site owner about potential pitfalls.
Here’s a follow-up article from wordfence on the same subject. Essentially, use only necessary plugins, know who you’re dealing with, and delete those that aren’t used (and install a good firewall, like wordfence).