[matthewarkin]

There was a popular (4000+ active installs) Wordpress plugin for Stripe that up until recently (read a week ago) wasn't PCI compliant. I wouldn't be surprised if this sort of thing is more common than just one or two rogue plugins (maybe not as bad as stealing admin credentials, but at a minimum doing things that most people would not consider secure). I would think as a large portion of Wordpress users just download and install which ever plugin looks popular and doesn't verify / validate the actual code.

[ams6110]

Don't we all do that? We install code from github, we run curl commands and pipe them through bash, we use apt or yum. How many people actually look at the code?

[matthewarkin]

True, though to some extent I'd expect the moderation and reviews of people on Github or apt would be stronger than that of the average wordpress user.