Backdoor in Captcha Plugin Affects 300K WordPress Sites

The plugin downloads malicious code, hijacks your admin account and grants the plugin author full access to your WordPress site. As reported by

A backdoor file allows an attacker, or in this case, a plugin author, to gain unauthorized administrative access to your website. This backdoor creates a session with user ID 1 (the default admin user that WordPress creates when you first install it), sets authentication cookies, and then deletes itself.

Installing a random WordPress plugin is risky. Be careful out there.