Hidden Backdoor Found In WordPress Captcha Plugin Affects Over 300,000 Sites

An undisclosed buyer purchased a Captcha WordPress plugin that had more than 300,000 active installations from developer BestWebSoft, then modified it to download and install a hidden backdoor. This backdoor allowed the plugin author or other attackers to gain remote administrative access to WordPress sites without requiring any authentication. WordPress removed the affected Captcha plugin from its official plugin store. Website administrators are urged to replace this plugin with the latest official Captcha version to mitigate this threat. 

Relevant URL(s): https://thehackernews.com/2017/12/wordpress-security-plugin.html