The Syncee WordPress plugin before 1.0.10 leaks the administrator token that can be used to take over the administrator's account.
Related posts