“The plugin in question was Custom Content Type Manager (CCTM), a popular WordPress plugin for creating custom post types that, in the three years since it was uploaded on the WordPress plugin repo, has amassed quite a following, being currently installed on more than 10,000 sites.
Custom Content Type Manager version 0.9.8.8 contains malicious code
As Sucuri’s investigation revealed, in the past two weeks, the plugin that looked like an abandoned project for the last 10 months, mysteriously changed owner, and immediately after, the new developer, named wooranker, updated the plugin and pushed out a new version.”
The question, for me, is how did this person get ownership and access to update a WordPress plugin? Is there some flaw in the WordPress plugin community that would allow someone to take ownership of existing plugins? That’s scary. The original Sucuri post has some more info in that regard.