In December 2022, an update was released for the WordPress plugin Bulk Delete Comments, which caused a JavaScript file with malicious code from a website to be loaded on to the admin area of websites using the plugin. That was immediately noticed by users of the plugin. The plugin was subsequently closed on the WordPress Plugin Directory. The plugin was recently reopened without the issue being properly resolved. The situation highlights multiple known problems that are not being addressed by WordPress.
The update that introduced the issue was version 1.4, and that is still the version available now: [Read more]