Malicious eval() is being inserted into the wp_options table, in the option_name: social_wafare_settings, in the Twitter field. When the plugin is active, it causes the site to issue a JavaScript redirect to porn sites. Deactivating the plugin disables the redirect, but the malicious eval() is still in the database. The plugin has been pulled from the WordPress repository. https://wordpress.org/support/topic/malware-into-new-update/ So far we have seen this exploited on live sites running 3.5.1 and 3.5.2.
Source: https://www.tenable.com/plugins/nessus/159570
See also: https://wpscan.com/vulnerability/9238