The WordPress Plugin WP-doctor contains a trojan, in the malware.txt file. A user made this public over a year ago, yet nothing happened. So, we reviewed it and they were right, so we contacted WordPress.
WordPress agreed that the trojan was in the software, however they could not find a point in the software where the trojan was being used. y So, in other words the software was shipped with malicous code, but they weren’t using the malicious code, or rather no one has yet to identify where that malicious code would work.
The WordPress team shut down the plugin while they talk to the team behind WP-Doctor to see if this was left over as part of an attempt in detecting malware, or if there is any legitimate reason for this WordPress Plugin to contain freaking malware.
Vulnerabilites are common in WordPress, malware shouldn’t be on WordPress or on any site as a useful program, yet this program at least has the trojan code in it. If it ever did anything is another question. At this point in time, we would advise you remove WP-doctor.