A recent series of attacks on WordPress websites have come from widely used, previously trusted plugins. In most cases, the authors had sold their plugins to another company and that new company injected malware in an attempt to monetize their new asset or do harm.

Checking your themes and plugins for vulnerabilities and trust-ability is an ongoing requirement, not an installation-time only task.

More details from Wordfence’s blog:
https://www.wordfence.com/blog/2018/01/wordpress-supply-chain-attacks/