It was recently discovered that a popular Captch WordPress plugin that was sold to an undisclosed buyer, has been modified and had a backdoor installed. The backdoor allows the plugin author to remotely gain administrative access to the WordPress websites. WordFence and WordPress teamed up to patch the affected version of the Captcha plug-in as well as preventing the author to publish further updates. It is advised and recommended that website administrators are replacing their Captcha plugin with the latest version.
https://thehackernews.com/2017/12/wordpress-security-plugin.html